mirror/json-c
1
0
Fork 0
mirror of https://github.com/json-c/json-c.git synced 2026-03-24 07:29:07 +08:00
Code Issues Packages Projects Releases Wiki Activity

Protect array_list_del_idx against size_t overflow.

Browse Source 
If the assignment of stop overflows due to idx and count being
larger than SIZE_T_MAX in sum, out of boundary access could happen.

It takes invalid usage of this function for this to happen, but
I decided to add this check so array_list_del_idx is as safe against
bad usage as the other arraylist functions.
This commit is contained in:
Tobias Stoeckmann
2020-05-04 19:41:16 +02:00
parent 1059007024
commit 099016b7e8
1 changed files with 3 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
arraylist.c
View File

@@ -136,6 +136,9 @@ int array_list_del_idx(struct array_list *arr, size_t idx, size_t count)
{
size_t i, stop;
/* Avoid overflow in calculation with large indices. */
if (idx > SIZE_T_MAX - count)
return -1;
stop = idx + count;
if (idx >= arr->length || stop > arr->length)
return -1;