top: Prevent integer overflows in config_file() and other_selection().

author Qualys Security Advisory <qsa@qualys.com>

Thu, 1 Jan 1970 00:00:00 +0000 (00:00 +0000)

committer Craig Small <csmall@enc.com.au>

Fri, 18 May 2018 21:33:15 +0000 (07:33 +1000)
author Qualys Security Advisory <qsa@qualys.com>
Thu, 1 Jan 1970 00:00:00 +0000 (00:00 +0000)
committer Craig Small <csmall@enc.com.au>
Fri, 18 May 2018 21:33:15 +0000 (07:33 +1000)
diff --git a/top/top.c b/top/top.c

index 8090e97cf0c748e9f6acb047bf2882391e714cea..7eb1c660f8dfff2b5c0948ae5dd148e905bb0675 100644 (file)
--- a/top/top.c
+++ b/top/top.c
@@ -3797,6 +3797,9 @@ error Hey, fix the above fscanf 'PFLAGSSIZ' dependency !
        size_t lraw = strlen(Inspect.raw) +1;
        char *s;
  
+      if (i < 0 || (size_t)i >= INT_MAX / sizeof(struct I_ent)) break;
+      if (lraw >= INT_MAX - sizeof(fbuf)) break;
+
        if (!fgets(fbuf, sizeof(fbuf), fp)) break;
        lraw += strlen(fbuf) +1;
        Inspect.raw = alloc_r(Inspect.raw, lraw);
@@ -4644,6 +4647,9 @@ static void other_selection (int ch) {
           , inc ? N_txt(WORD_include_txt) : N_txt(WORD_exclude_txt)));
        return;
     }
+   if (Curwin->osel_prt && strlen(Curwin->osel_prt) >= INT_MAX - (sizeof(raw) + 6)) {
+      return;
+   }
     osel = alloc_c(sizeof(struct osel_s));
     osel->inc = inc;
     osel->enu = enu;
author	Qualys Security Advisory <qsa@qualys.com>
	Thu, 1 Jan 1970 00:00:00 +0000 (00:00 +0000)
committer	Craig Small <csmall@enc.com.au>
	Fri, 18 May 2018 21:33:15 +0000 (07:33 +1000)