Fix #232: Memory corruption bug due to Integer Overflow in remap_struct()

Try to avoid integer overflow when reading a corrupted binary datafile
with sadf.

Signed-off-by: Sebastien GODARD <sysstat@users.noreply.github.com>

diff --git a/sa_common.c b/sa_common.c
index 36016b3e50260513bceb229d3a47c3ee4d67552f..1b18dc00f6627eb6c76057ae338a7bd714a6c59c 100644 (file)
--- a/sa_common.c
+++ b/sa_common.c
@@ -1335,7 +1335,8 @@ int remap_struct(unsigned int gtypes_nr[], unsigned int ftypes_nr[],
        /* Remap [unsigned] int fields */
        d = gtypes_nr[1] - ftypes_nr[1];
        if (d) {
-               if (ftypes_nr[1] * UL_ALIGNMENT_WIDTH < ftypes_nr[1])
+               if (gtypes_nr[0] * ULL_ALIGNMENT_WIDTH +
+                   ftypes_nr[1] * UL_ALIGNMENT_WIDTH < ftypes_nr[1])
                        /* Overflow */
                        return -1;
 
@@ -1364,7 +1365,9 @@ int remap_struct(unsigned int gtypes_nr[], unsigned int ftypes_nr[],
        /* Remap possible fields (like strings of chars) following int fields */
        d = gtypes_nr[2] - ftypes_nr[2];
        if (d) {
-               if (ftypes_nr[2] * U_ALIGNMENT_WIDTH < ftypes_nr[2])
+               if (gtypes_nr[0] * ULL_ALIGNMENT_WIDTH +
+                   gtypes_nr[1] * UL_ALIGNMENT_WIDTH +
+                   ftypes_nr[2] * U_ALIGNMENT_WIDTH < ftypes_nr[2])
                        /* Overflow */
                        return -1;