diff options
| author | darrenr <darrenr@FreeBSD.org> | 2002-07-31 12:50:28 +0000 |
|---|---|---|
| committer | darrenr <darrenr@FreeBSD.org> | 2002-07-31 12:50:28 +0000 |
| commit | db2b5421c21286b0bc2dc446ebf11eb4912f480e (patch) | |
| tree | 19cac84d4180bbc9fb48104233666f4fff85a26f /lib/libc | |
| parent | 81f45956da84eb139efa30306f8e1692f8df89f1 (diff) | |
| download | FreeBSD-src-db2b5421c21286b0bc2dc446ebf11eb4912f480e.zip FreeBSD-src-db2b5421c21286b0bc2dc446ebf11eb4912f480e.tar.gz | |
Patch to fix bounds checking/overflow.
Obtained from: OpenBSD
Diffstat (limited to 'lib/libc')
| -rw-r--r-- | lib/libc/xdr/xdr_array.c | 7 |
1 files changed, 4 insertions, 3 deletions
diff --git a/lib/libc/xdr/xdr_array.c b/lib/libc/xdr/xdr_array.c index d75c53f..5673014 100644 --- a/lib/libc/xdr/xdr_array.c +++ b/lib/libc/xdr/xdr_array.c @@ -78,11 +78,12 @@ xdr_array(xdrs, addrp, sizep, maxsize, elsize, elproc) u_int nodesize; /* like strings, arrays are really counted arrays */ - if (! xdr_u_int(xdrs, sizep)) { + if (!xdr_u_int(xdrs, sizep)) { return (FALSE); } c = *sizep; - if ((c > maxsize) && (xdrs->x_op != XDR_FREE)) { + if ((c > maxsize && UINT_MAX/elsize < c) && + (xdrs->x_op != XDR_FREE)) { return (FALSE); } nodesize = c * elsize; @@ -152,7 +153,7 @@ xdr_vector(xdrs, basep, nelem, elemsize, xdr_elem) elptr = basep; for (i = 0; i < nelem; i++) { - if (! (*xdr_elem)(xdrs, elptr)) { + if (!(*xdr_elem)(xdrs, elptr)) { return(FALSE); } elptr += elemsize; |
