mirror/json-c
1
0
Fork 0
mirror of https://github.com/json-c/json-c.git synced 2026-03-31 02:49:06 +08:00
Code Issues Packages Projects Releases Wiki Activity

Fix CVE-2020-12762.

Browse Source 
This commit is a squashed backport of the following commits
on the master branch:

  * 099016b7e8
  * 77d935b7ae
  * d07b910149
  * 519dfe1591
  * a59d5acfab
This commit is contained in:
Björn Esser
2020-05-14 12:32:30 +02:00
parent 0daf8dc826
commit 865b5a6519
5 changed files with 74 additions and 21 deletions
Download Patch File Download Diff File Expand all files Collapse all files

38
printbuf.c
View File

@@ -15,6 +15,7 @@
#include "config.h"
#include <limits.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
@@ -64,10 +65,16 @@ static int printbuf_extend(struct printbuf *p, int min_size)
if (p->size >= min_size)
return 0;
new_size = p->size * 2;
if (new_size < min_size + 8)
new_size = min_size + 8;
/* Prevent signed integer overflows with large buffers. */
if (min_size > INT_MAX - 8)
return -1;
if (p->size > INT_MAX / 2)
new_size = min_size + 8;
else {
new_size = p->size * 2;
if (new_size < min_size + 8)
new_size = min_size + 8;
}
#ifdef PRINTBUF_DEBUG
MC_DEBUG("printbuf_memappend: realloc "
"bpos=%d min_size=%d old_size=%d new_size=%d\n",
@@ -82,14 +89,18 @@ static int printbuf_extend(struct printbuf *p, int min_size)
int printbuf_memappend(struct printbuf *p, const char *buf, int size)
{
if (p->size <= p->bpos + size + 1) {
if (printbuf_extend(p, p->bpos + size + 1) < 0)
return -1;
}
memcpy(p->buf + p->bpos, buf, size);
p->bpos += size;
p->buf[p->bpos]= '\0';
return size;
/* Prevent signed integer overflows with large buffers. */
if (size > INT_MAX - p->bpos - 1)
return -1;
if (p->size <= p->bpos + size + 1)
{
if (printbuf_extend(p, p->bpos + size + 1) < 0)
return -1;
}
memcpy(p->buf + p->bpos, buf, size);
p->bpos += size;
p->buf[p->bpos] = '\0';
return size;
}
int printbuf_memset(struct printbuf *pb, int offset, int charvalue, int len)
@@ -98,6 +109,9 @@ int printbuf_memset(struct printbuf *pb, int offset, int charvalue, int len)
if (offset == -1)
offset = pb->bpos;
/* Prevent signed integer overflows with large buffers. */
if (len > INT_MAX - offset)
return -1;
size_needed = offset + len;
if (pb->size < size_needed)
{