[PATCH] Shield against malloc() integer overflow

Lubomir Rintel lkundrak at v3.sk
Wed Sep 29 21:57:19 UTC 2010


Ridiculously high -s arguments could trigger an integer overflow and
result in less memory allocated than desired and in turn a heap overflow
and crash. Or at least annoy valgrind:

$ valgrind -q strace -o /dev/null -s6553600000 -f uname
==14212== Warning: silly arg (-2147483648) to malloc()
---
 util.c |    3 ++-
 1 files changed, 2 insertions(+), 1 deletions(-)

diff --git a/util.c b/util.c
index c28edf3..9d3e195 100644
--- a/util.c
+++ b/util.c
@@ -40,6 +40,7 @@
 #include <sys/user.h>
 #include <sys/param.h>
 #include <fcntl.h>
+#include <limits.h>
 #if HAVE_SYS_UIO_H
 #include <sys/uio.h>
 #endif
@@ -596,7 +597,7 @@ printstr(struct tcb *tcp, long addr, int len)
 	/* Allocate static buffers if they are not allocated yet. */
 	if (!str)
 		str = malloc(max_strlen + 1);
-	if (!outstr)
+	if (!outstr && (INT_MAX - sizeof "\"...\"") / 4 > max_strlen)
 		outstr = malloc(4 * max_strlen + sizeof "\"...\"");
 	if (!str || !outstr) {
 		fprintf(stderr, "out of memory\n");
-- 
1.7.3





More information about the Strace-devel mailing list