diff options
| author | Quentin Rameau <quinq@fifth.space> | 2018-04-01 19:49:58 +0200 |
|---|---|---|
| committer | Denys Vlasenko <vda.linux@googlemail.com> | 2018-04-01 19:51:14 +0200 |
| commit | e2afae6303e871a31a061d03359cfcd5dd86c088 (patch) | |
| tree | 40482184a4ff53ea4fd3439f96e0e7e967a075cc /editors | |
| parent | 2da9724b56169f00bd7fb6b9a11c9409a7620981 (diff) | |
| download | busybox-w32-e2afae6303e871a31a061d03359cfcd5dd86c088.tar.gz busybox-w32-e2afae6303e871a31a061d03359cfcd5dd86c088.tar.bz2 busybox-w32-e2afae6303e871a31a061d03359cfcd5dd86c088.zip | |
sed: prevent overflow of length from bb_get_chunk_from_file
This fragment did not work right:
temp = bb_get_chunk_from_file(fp, &len);
if (temp) {
/* len > 0 here, it's ok to do temp[len-1] */
char c = temp[len-1];
With "int len" _sign-extending_, temp[len-1] can refer to a wrong location
if len > 0x7fffffff.
Signed-off-by: Quentin Rameau <quinq@fifth.space>
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
Diffstat (limited to 'editors')
| -rw-r--r-- | editors/sed.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/editors/sed.c b/editors/sed.c index 9d800c2c3..470220859 100644 --- a/editors/sed.c +++ b/editors/sed.c | |||
| @@ -988,7 +988,7 @@ static void flush_append(char *last_puts_char) | |||
| 988 | static char *get_next_line(char *gets_char, char *last_puts_char) | 988 | static char *get_next_line(char *gets_char, char *last_puts_char) |
| 989 | { | 989 | { |
| 990 | char *temp = NULL; | 990 | char *temp = NULL; |
| 991 | int len; | 991 | size_t len; |
| 992 | char gc; | 992 | char gc; |
| 993 | 993 | ||
| 994 | flush_append(last_puts_char); | 994 | flush_append(last_puts_char); |