FIx another potential buffer overflow, from Colin Percival.

author Christos Zoulas <christos@zoulas.com>

Thu, 24 May 2007 12:29:54 +0000 (12:29 +0000)

committer Christos Zoulas <christos@zoulas.com>

Thu, 24 May 2007 12:29:54 +0000 (12:29 +0000)
author Christos Zoulas <christos@zoulas.com>
Thu, 24 May 2007 12:29:54 +0000 (12:29 +0000)
committer Christos Zoulas <christos@zoulas.com>
Thu, 24 May 2007 12:29:54 +0000 (12:29 +0000)
diff --git a/src/funcs.c b/src/funcs.c

index 7da60e47f76c86779aebf5a6a0bb76d5ed259247..e4ef505b8d3808ca257ef83e5e354265de9d0853 100644 (file)
--- a/src/funcs.c
+++ b/src/funcs.c
@@ -26,7 +26,6 @@
   */
  #include "file.h"
  #include "magic.h"
-#include <assert.h>
  #include <stdarg.h>
  #include <stdlib.h>
  #include <string.h>
@@ -39,7 +38,7 @@
  #endif
  
  #ifndef        lint
-FILE_RCSID("@(#)$File: funcs.c,v 1.30 2007/03/25 21:46:52 christos Exp $")
+FILE_RCSID("@(#)$File: funcs.c,v 1.31 2007/05/24 12:29:54 christos Exp $")
  #endif /* lint */
  
  #ifndef HAVE_VSNPRINTF
@@ -247,8 +246,11 @@ file_getbuffer(struct magic_set *ms)
  
         len = ms->o.size - ms->o.left;
         /* * 4 is for octal representation, + 1 is for NUL */
+       if (len > (SIZE_T_MAX - 1) / 4) {
+               file_oomem(ms);
+               return NULL;
+       }
         psize = len * 4 + 1;
-       assert(psize > len);
         if (ms->o.psize < psize) {
                 if ((pbuf = realloc(ms->o.pbuf, psize)) == NULL) {
                         file_oomem(ms, psize);
author	Christos Zoulas <christos@zoulas.com>
	Thu, 24 May 2007 12:29:54 +0000 (12:29 +0000)
committer	Christos Zoulas <christos@zoulas.com>
	Thu, 24 May 2007 12:29:54 +0000 (12:29 +0000)