claunia/flac
1
0
Fork 0
mirror of https://github.com/claunia/flac.git synced 2025-12-16 18:54:26 +00:00
Code Issues Packages Projects Releases Wiki Activity

extra checking on memory allocation sizes to prevent a class of overflow attacks

Browse Source
This commit is contained in:
Josh Coalson
2007-09-11 04:49:56 +00:00
parent 0221d87c89
commit 0f008d2e9e
26 changed files with 234 additions and 115 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
src/share/grabbag/picture.c
View File

@@ -20,6 +20,7 @@
# include <config.h>
#endif
#include "share/alloc.h"
#include "share/grabbag.h"
#include "FLAC/assert.h"
#include <stdio.h>
@@ -29,7 +30,7 @@
/* slightly different that strndup(): this always copies 'size' bytes starting from s into a NUL-terminated string. */
static char *local__strndup_(const char *s, size_t size)
{
char *x = (char*)malloc(size+1);
char *x = (char*)safe_malloc_add_2op_(size, /*+*/1);
if(x) {
memcpy(x, s, size);
x[size] = '\0';
@@ -357,7 +358,7 @@ FLAC__StreamMetadata *grabbag__picture_parse_specification(const char *spec, con
if(size < 0)
*error_message = error_messages[5];
else {
FLAC__byte *buffer = (FLAC__byte*)malloc(size);
FLAC__byte *buffer = (FLAC__byte*)safe_malloc_(size);
if(0 == buffer)
*error_message = error_messages[0];
else {

3
src/share/utf8/charset.c
View File

@@ -35,6 +35,7 @@
#include <stdlib.h>
#include "share/alloc.h"
#include "charset.h"
#include "charmaps.h"
@@ -492,7 +493,7 @@ int charset_convert(const char *fromcode, const char *tocode,
if (!charset1 || !charset2 )
return -1;
tobuf = (char *)malloc(fromlen * charset2->max + 1);
tobuf = (char *)safe_malloc_mul2add_(fromlen, /*times*/charset2->max, /*+*/1);
if (!tobuf)
return -2;

9
src/share/utf8/iconvert.c
View File

@@ -29,6 +29,7 @@
#include <string.h>
#include "iconvert.h"
#include "share/alloc.h"
/*
* Convert data from one encoding to another. Return:
@@ -81,7 +82,7 @@ int iconvert(const char *fromcode, const char *tocode,
* This is deliberately not a config option as people often
* change their iconv library without rebuilding applications.
*/
tocode1 = (char *)malloc(strlen(tocode) + 11);
tocode1 = (char *)safe_malloc_add_2op_(strlen(tocode), /*+*/11);
if (!tocode1)
goto fail;
@@ -119,6 +120,8 @@ int iconvert(const char *fromcode, const char *tocode,
break;
if (obl < 6) {
/* Enlarge the buffer */
if(utflen*2 < utflen) /* overflow check */
goto fail;
utflen *= 2;
newbuf = (char *)realloc(utfbuf, utflen);
if (!newbuf)
@@ -145,7 +148,7 @@ int iconvert(const char *fromcode, const char *tocode,
iconv_close(cd1);
return ret;
}
newbuf = (char *)realloc(utfbuf, (ob - utfbuf) + 1);
newbuf = (char *)safe_realloc_add_2op_(utfbuf, (ob - utfbuf), /*+*/1);
if (!newbuf)
goto fail;
ob = (ob - utfbuf) + newbuf;
@@ -196,7 +199,7 @@ int iconvert(const char *fromcode, const char *tocode,
outlen += ob - tbuf;
/* Convert from UTF-8 for real */
outbuf = (char *)malloc(outlen + 1);
outbuf = (char *)safe_malloc_add_2op_(outlen, /*+*/1);
if (!outbuf)
goto fail;
ib = utfbuf;

44
src/share/utf8/utf8.c
View File

@@ -2,6 +2,8 @@
* Copyright (C) 2001 Peter Harris <peter.harris@hummingbird.com>
* Copyright (C) 2001 Edmund Grimley Evans <edmundo@rano.org>
*
* Buffer overflow checking added: Josh Coalson, 9/9/2007
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2 of the License, or
@@ -28,6 +30,7 @@
#include <stdlib.h>
#include <string.h>
#include "share/alloc.h"
#include "utf8.h"
#include "charset.h"
@@ -43,7 +46,8 @@
static unsigned char *make_utf8_string(const wchar_t *unicode)
{
int size = 0, index = 0, out_index = 0;
size_t size = 0, n;
int index = 0, out_index = 0;
unsigned char *out;
unsigned short c;
@@ -51,16 +55,19 @@ static unsigned char *make_utf8_string(const wchar_t *unicode)
c = unicode[index++];
while(c) {
if(c < 0x0080) {
size += 1;
n = 1;
} else if(c < 0x0800) {
size += 2;
n = 2;
} else {
size += 3;
n = 3;
}
if(size+n < size) /* overflow check */
return NULL;
size += n;
c = unicode[index++];
}
}
out = malloc(size + 1);
out = safe_malloc_add_2op_(size, /*+*/1);
if (out == NULL)
return NULL;
index = 0;
@@ -87,7 +94,8 @@ static unsigned char *make_utf8_string(const wchar_t *unicode)
static wchar_t *make_unicode_string(const unsigned char *utf8)
{
int size = 0, index = 0, out_index = 0;
size_t size = 0;
int index = 0, out_index = 0;
wchar_t *out;
unsigned char c;
@@ -101,11 +109,15 @@ static wchar_t *make_unicode_string(const unsigned char *utf8)
} else {
index += 1;
}
size += 1;
if(size + 1 == 0) /* overflow check */
return NULL;
size++;
c = utf8[index++];
}
}
out = malloc((size + 1) * sizeof(wchar_t));
if(size + 1 == 0) /* overflow check */
return NULL;
out = safe_malloc_mul_2op_(size+1, /*times*/sizeof(wchar_t));
if (out == NULL)
return NULL;
index = 0;
@@ -147,7 +159,10 @@ int utf8_encode(const char *from, char **to)
return -1;
}
unicode = calloc(wchars + 1, sizeof(unsigned short));
if(wchars < 0) /* underflow check */
return -1;
unicode = safe_calloc_((size_t)wchars + 1, sizeof(unsigned short));
if(unicode == NULL)
{
fprintf(stderr, "Out of memory processing string to UTF8\n");
@@ -190,6 +205,9 @@ int utf8_decode(const char *from, char **to)
chars = WideCharToMultiByte(GetConsoleCP(), WC_COMPOSITECHECK, unicode,
-1, NULL, 0, NULL, NULL);
if(chars < 0) /* underflow check */
return -1;
if(chars == 0)
{
fprintf(stderr, "Unicode translation error %d\n", GetLastError());
@@ -197,7 +215,7 @@ int utf8_decode(const char *from, char **to)
return -1;
}
*to = calloc(chars + 1, sizeof(unsigned char));
*to = safe_calloc_((size_t)chars + 1, sizeof(unsigned char));
if(*to == NULL)
{
fprintf(stderr, "Out of memory processing string to local charset\n");
@@ -277,7 +295,7 @@ static int convert_string(const char *fromcode, const char *tocode,
if (ret != -1)
return ret;
s = malloc(fromlen + 1);
s = safe_malloc_add_2op_(fromlen, /*+*/1);
if (!s)
return -1;
strcpy(s, from);