From: Qualys Security Advisory <qsa@qualys.com>
Date: Thu, 1 Jan 1970 00:00:00 +0000 (+0000)
Subject: proc/readproc.c: Harden vectorize_this_str().
X-Git-Tag: v3.3.15~66
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=6939463606f6369a6d3db4d82de0bfd548fac81e;p=procps-ng

proc/readproc.c: Harden vectorize_this_str().

This detects an integer overflow of "strlen + 1", prevents an integer
overflow of "tot + adj + (2 * pSZ)", and avoids calling snprintf with a
string longer than INT_MAX. Truncate rather than fail, since the callers
do not expect a failure of this function.
---

diff --git a/proc/readproc.c b/proc/readproc.c
index f63143d2..2ee0f28d 100644
--- a/proc/readproc.c
+++ b/proc/readproc.c
@@ -801,9 +801,10 @@ static int read_unvectored(char *restrict const dst, unsigned sz, const char* wh
 static char** vectorize_this_str (const char* src) {
  #define pSZ  (sizeof(char*))
     char *cpy, **vec;
-    int adj, tot;
+    size_t adj, tot;
 
     tot = strlen(src) + 1;                       // prep for our vectors
+    if (tot < 1 || tot >= INT_MAX) tot = INT_MAX-1; // integer overflow?
     adj = (pSZ-1) - ((tot + pSZ-1) & (pSZ-1));   // calc alignment bytes
     cpy = xcalloc(tot + adj + (2 * pSZ));        // get new larger buffer
     snprintf(cpy, tot, "%s", src);               // duplicate their string