summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorteor <teor@torproject.org>2019-10-23 08:20:45 +1000
committerteor <teor@torproject.org>2019-10-23 08:20:45 +1000
commit7660a7cf7d4191e44aba0bf3e02a001d7e979d29 (patch)
treef58f72c94d5167ead67c1badca5e0a0d10529dad
parent511aeba8eeb24a953228e00917f64703059a7673 (diff)
parent97d73db7c36ec3fac2974726012f76bff63f9dfc (diff)
downloadtor-7660a7cf7d4191e44aba0bf3e02a001d7e979d29.tar.gz
tor-7660a7cf7d4191e44aba0bf3e02a001d7e979d29.zip
Merge remote-tracking branch 'tor-github/pr/1178' into maint-0.2.9
-rw-r--r--changes/ticket310016
-rw-r--r--src/common/compat.c8
2 files changed, 10 insertions, 4 deletions
diff --git a/changes/ticket31001 b/changes/ticket31001
new file mode 100644
index 0000000000..2ce1cbdf34
--- /dev/null
+++ b/changes/ticket31001
@@ -0,0 +1,6 @@
+ o Minor bugfixes (compatibility, standards compliance):
+ - Fix a bug that would invoke undefined behavior on certain operating
+ systems when trying to asprintf() a string exactly INT_MAX bytes
+ long. We don't believe this is exploitable, but it's better
+ to fix it anyway. Fixes bug 31001; bugfix on 0.2.2.11-alpha.
+ Found and fixed by Tobias Stoeckmann.
diff --git a/src/common/compat.c b/src/common/compat.c
index e99abcb16d..4d4a81e1c1 100644
--- a/src/common/compat.c
+++ b/src/common/compat.c
@@ -542,8 +542,8 @@ tor_vasprintf(char **strp, const char *fmt, va_list args)
*strp = NULL;
return -1;
}
- strp_tmp = tor_malloc(len + 1);
- r = _vsnprintf(strp_tmp, len+1, fmt, args);
+ strp_tmp = tor_malloc((size_t)len + 1);
+ r = _vsnprintf(strp_tmp, (size_t)len+1, fmt, args);
if (r != len) {
tor_free(strp_tmp);
*strp = NULL;
@@ -578,9 +578,9 @@ tor_vasprintf(char **strp, const char *fmt, va_list args)
*strp = tor_strdup(buf);
return len;
}
- strp_tmp = tor_malloc(len+1);
+ strp_tmp = tor_malloc((size_t)len+1);
/* use of tor_vsnprintf() will ensure string is null terminated */
- r = tor_vsnprintf(strp_tmp, len+1, fmt, args);
+ r = tor_vsnprintf(strp_tmp, (size_t)len+1, fmt, args);
if (r != len) {
tor_free(strp_tmp);
*strp = NULL;