[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
[or-cvs] r13587: Add some checks in torgzip.c to make sure we never overflow (in tor/trunk: . src/common)
Author: nickm
Date: 2008-02-19 17:05:49 -0500 (Tue, 19 Feb 2008)
New Revision: 13587
Modified:
tor/trunk/
tor/trunk/ChangeLog
tor/trunk/src/common/container.c
tor/trunk/src/common/torgzip.c
Log:
r18208@catbus: nickm | 2008-02-19 17:02:30 -0500
Add some checks in torgzip.c to make sure we never overflow size_t there. Also make sure we do not realloc(list,0) in container.c. Backport candidate.
Property changes on: tor/trunk
___________________________________________________________________
svk:merge ticket from /tor/trunk [r18208] on 8246c3cf-6607-4228-993b-4d95d33730f1
Modified: tor/trunk/ChangeLog
===================================================================
--- tor/trunk/ChangeLog 2008-02-19 22:01:45 UTC (rev 13586)
+++ tor/trunk/ChangeLog 2008-02-19 22:05:49 UTC (rev 13587)
@@ -38,6 +38,7 @@
cached-descriptors file. Patch by freddy77; bugfix on 0.1.2.
- Make the new hidden service code respect the SafeLogging setting.
Bugfix on 0.2.0.x. Patch from Karsten.
+ - Detect size overflow in zlib code.
o Code simplifications and refactoring:
- Remove the tor_strpartition function: its logic was confused,
Modified: tor/trunk/src/common/container.c
===================================================================
--- tor/trunk/src/common/container.c 2008-02-19 22:01:45 UTC (rev 13586)
+++ tor/trunk/src/common/container.c 2008-02-19 22:05:49 UTC (rev 13587)
@@ -66,6 +66,8 @@
{
if (n < sl->num_used)
n = sl->num_used;
+ if (n < 1)
+ n = 1;
if (sl->capacity != n) {
sl->capacity = n;
sl->list = tor_realloc(sl->list, sizeof(void*)*sl->capacity);
Modified: tor/trunk/src/common/torgzip.c
===================================================================
--- tor/trunk/src/common/torgzip.c 2008-02-19 22:01:45 UTC (rev 13586)
+++ tor/trunk/src/common/torgzip.c 2008-02-19 22:05:49 UTC (rev 13587)
@@ -71,7 +71,7 @@
compress_method_t method)
{
struct z_stream_s *stream = NULL;
- size_t out_size;
+ size_t out_size, old_size;
off_t offset;
tor_assert(out);
@@ -119,7 +119,12 @@
break;
case Z_BUF_ERROR:
offset = stream->next_out - ((unsigned char*)*out);
+ old_size = out_size;
out_size *= 2;
+ if (out_size < old_size) {
+ log_warn(LD_GENERAL, "Size overflow in compression.");
+ goto err;
+ }
*out = tor_realloc(*out, out_size);
stream->next_out = (unsigned char*)(*out + offset);
if (out_size - offset > UINT_MAX) {
@@ -178,7 +183,7 @@
int protocol_warn_level)
{
struct z_stream_s *stream = NULL;
- size_t out_size;
+ size_t out_size, old_size;
off_t offset;
int r;
@@ -245,7 +250,12 @@
goto err;
}
offset = stream->next_out - (unsigned char*)*out;
+ old_size = out_size;
out_size *= 2;
+ if (out_size < old_size) {
+ log_warn(LD_GENERAL, "Size overflow in compression.");
+ goto err;
+ }
*out = tor_realloc(*out, out_size);
stream->next_out = (unsigned char*)(*out + offset);
if (out_size - offset > UINT_MAX) {