diff options
| author | Nick Mathewson <nickm@torproject.org> | 2008-02-19 22:08:01 +0000 |
|---|---|---|
| committer | Nick Mathewson <nickm@torproject.org> | 2008-02-19 22:08:01 +0000 |
| commit | 352824d95f4331a3396e0b78dd0b855324b3cc82 (patch) | |
| tree | dfd04cb40d40b823e4a234f36332bb950088323a | |
| parent | a1e8cf5ccb3517a010d71182e4541ab2f6486983 (diff) | |
| download | tor-352824d95f4331a3396e0b78dd0b855324b3cc82.tar.gz tor-352824d95f4331a3396e0b78dd0b855324b3cc82.zip | |
r18214@catbus: nickm | 2008-02-19 17:07:55 -0500
Backport to 0.1.2.x: Add some checks in torgzip.c to make sure we never overflow size_t there. Also make sure we do not realloc(list,0) in container.c.
svn:r13588
| -rw-r--r-- | ChangeLog | 1 | ||||
| -rw-r--r-- | src/common/container.c | 2 | ||||
| -rw-r--r-- | src/common/torgzip.c | 14 |
3 files changed, 15 insertions, 2 deletions
@@ -19,6 +19,7 @@ Changes in versino 0.1.2.20 - 2008-??-?? conditions. - We were leaking a file descriptor if Tor started with a zero-length cached-descriptors file. Patch by freddy77. + - Detect size overflow in zlib code. Changes in version 0.1.2.19 - 2008-01-17 diff --git a/src/common/container.c b/src/common/container.c index 36234743ac..88f96d05f6 100644 --- a/src/common/container.c +++ b/src/common/container.c @@ -65,6 +65,8 @@ smartlist_set_capacity(smartlist_t *sl, int n) { if (n < sl->num_used) n = sl->num_used; + if (n < 1) + n = 1; if (sl->capacity != n) { sl->capacity = n; sl->list = tor_realloc(sl->list, sizeof(void*)*sl->capacity); diff --git a/src/common/torgzip.c b/src/common/torgzip.c index 5a1e1e8a0b..5216cfece0 100644 --- a/src/common/torgzip.c +++ b/src/common/torgzip.c @@ -70,7 +70,7 @@ tor_gzip_compress(char **out, size_t *out_len, compress_method_t method) { struct z_stream_s *stream = NULL; - size_t out_size; + size_t out_size, old_size; off_t offset; tor_assert(out); @@ -118,7 +118,12 @@ tor_gzip_compress(char **out, size_t *out_len, break; case Z_BUF_ERROR: offset = stream->next_out - ((unsigned char*)*out); + old_size = out_size; out_size *= 2; + if (out_size < old_size) { + log_warn(LD_GENERAL, "Size overflow in compression."); + goto err; + } *out = tor_realloc(*out, out_size); stream->next_out = (unsigned char*)(*out + offset); if (out_size - offset > UINT_MAX) { @@ -173,7 +178,7 @@ tor_gzip_uncompress(char **out, size_t *out_len, int protocol_warn_level) { struct z_stream_s *stream = NULL; - size_t out_size; + size_t out_size, old_size; off_t offset; int r; @@ -240,7 +245,12 @@ tor_gzip_uncompress(char **out, size_t *out_len, goto err; } offset = stream->next_out - (unsigned char*)*out; + old_size = out_size; out_size *= 2; + if (out_size < old_size) { + log_warn(LD_GENERAL, "Size overflow in compression."); + goto err; + } *out = tor_realloc(*out, out_size); stream->next_out = (unsigned char*)(*out + offset); if (out_size - offset > UINT_MAX) { |