[PATCH] Shield against malloc() integer overflow
Lubomir Rintel
lkundrak at v3.sk
Wed Sep 29 21:57:19 UTC 2010
Ridiculously high -s arguments could trigger an integer overflow and
result in less memory allocated than desired and in turn a heap overflow
and crash. Or at least annoy valgrind:
$ valgrind -q strace -o /dev/null -s6553600000 -f uname
==14212== Warning: silly arg (-2147483648) to malloc()
---
util.c | 3 ++-
1 files changed, 2 insertions(+), 1 deletions(-)
diff --git a/util.c b/util.c
index c28edf3..9d3e195 100644
--- a/util.c
+++ b/util.c
@@ -40,6 +40,7 @@
#include <sys/user.h>
#include <sys/param.h>
#include <fcntl.h>
+#include <limits.h>
#if HAVE_SYS_UIO_H
#include <sys/uio.h>
#endif
@@ -596,7 +597,7 @@ printstr(struct tcb *tcp, long addr, int len)
/* Allocate static buffers if they are not allocated yet. */
if (!str)
str = malloc(max_strlen + 1);
- if (!outstr)
+ if (!outstr && (INT_MAX - sizeof "\"...\"") / 4 > max_strlen)
outstr = malloc(4 * max_strlen + sizeof "\"...\"");
if (!str || !outstr) {
fprintf(stderr, "out of memory\n");
--
1.7.3
More information about the Strace-devel
mailing list