30 lines
947 B
Diff
30 lines
947 B
Diff
From bb6b9b3f25fbafeb12dac68574d9f677b09880e3 Mon Sep 17 00:00:00 2001
|
|
From: Sebastian Pipping <sebastian@pipping.org>
|
|
Date: Sun, 28 Apr 2024 21:57:27 +0200
|
|
Subject: [PATCH] Protect against integer overflow in ComposeQueryMallocExMm
|
|
|
|
Requires string input that is longer than INT_MAX / 6 - 1 to exploit.
|
|
---
|
|
src/UriQuery.c | 5 ++++-
|
|
1 file changed, 4 insertions(+), 1 deletion(-)
|
|
|
|
diff --git a/src/UriQuery.c b/src/UriQuery.c
|
|
index b2734bc2..4885ff05 100644
|
|
--- a/src/UriQuery.c
|
|
+++ b/src/UriQuery.c
|
|
@@ -177,10 +177,13 @@ int URI_FUNC(ComposeQueryMallocExMm)(URI_CHAR ** dest,
|
|
if (res != URI_SUCCESS) {
|
|
return res;
|
|
}
|
|
+ if (charsRequired == INT_MAX) {
|
|
+ return URI_ERROR_MALLOC;
|
|
+ }
|
|
charsRequired++;
|
|
|
|
/* Allocate space */
|
|
- queryString = memory->malloc(memory, charsRequired * sizeof(URI_CHAR));
|
|
+ queryString = memory->calloc(memory, charsRequired, sizeof(URI_CHAR));
|
|
if (queryString == NULL) {
|
|
return URI_ERROR_MALLOC;
|
|
}
|