From f7b84fcc67baf6221b89ffcb75a946ae045cb0df Mon Sep 17 00:00:00 2001 From: Tobias Stoeckmann Date: Tue, 17 Sep 2019 21:26:52 +0200 Subject: [PATCH] Fixed segfault during excessive evaluation. It is possible to trigger a segmentation fault while processing an evaluation of repeating string. On a Linux 64 bit system, enter this (or adjust arguments for 32 bit accordingly): /eval -n ${repeat:1073741824,----} It will overflow an integer calculation because int instead of size_t is used. Proper check of int limitations fixes this issue. I haven't changed this specific piece of code to size_t because it would crash in other parts of the code tree instead. For now, int is a limitating factor when it comes to strings (and should be enough for sane use cases). Signed-off-by: Tobias Stoeckmann --- src/core/wee-string.c | 5 +++++ tests/unit/core/test-core-string.cpp | 3 +++ 2 files changed, 8 insertions(+) diff --git a/src/core/wee-string.c b/src/core/wee-string.c index 19a25b28b..5025958a1 100644 --- a/src/core/wee-string.c +++ b/src/core/wee-string.c @@ -26,6 +26,7 @@ #include #include #include +#include #include #include #include @@ -224,6 +225,10 @@ string_repeat (const char *string, int count) return strdup (string); length_string = strlen (string); + + if (count >= INT_MAX / length_string) + return NULL; + length_result = (length_string * count) + 1; result = malloc (length_result); if (!result) diff --git a/tests/unit/core/test-core-string.cpp b/tests/unit/core/test-core-string.cpp index 11ec19b4d..a1dda1af2 100644 --- a/tests/unit/core/test-core-string.cpp +++ b/tests/unit/core/test-core-string.cpp @@ -26,6 +26,7 @@ extern "C" #ifndef HAVE_CONFIG_H #define HAVE_CONFIG_H #endif +#include #include #include #include @@ -300,6 +301,8 @@ TEST(CoreString, Reverse) TEST(CoreString, Repeat) { POINTERS_EQUAL(NULL, string_repeat (NULL, 1)); + POINTERS_EQUAL(NULL, string_repeat ("----", INT_MAX / 4)); + STRCMP_EQUAL("", string_repeat ("", 1)); STRCMP_EQUAL("", string_repeat ("x", -1));