Send patches - preferably formatted by git format-patch - to patches at archlinux32 dot org.
summaryrefslogtreecommitdiff
path: root/extra/slang/slang-2.3.2-integer-array-overflow.patch
diff options
context:
space:
mode:
Diffstat (limited to 'extra/slang/slang-2.3.2-integer-array-overflow.patch')
-rw-r--r--extra/slang/slang-2.3.2-integer-array-overflow.patch93
1 files changed, 93 insertions, 0 deletions
diff --git a/extra/slang/slang-2.3.2-integer-array-overflow.patch b/extra/slang/slang-2.3.2-integer-array-overflow.patch
new file mode 100644
index 00000000..2b30d219
--- /dev/null
+++ b/extra/slang/slang-2.3.2-integer-array-overflow.patch
@@ -0,0 +1,93 @@
+diff -rauN slang-2.3.2/src/slarray.c slang-2.3.2-integer-array-overflow-patch/src/slarray.c
+--- slang-2.3.2/src/slarray.c 2018-03-05 00:16:36.000000000 +0100
++++ slang-2.3.2-integer-array-overflow-patch/src/slarray.c 2022-01-17 19:48:27.177748577 +0100
+@@ -22,6 +22,7 @@
+
+ #include "slinclud.h"
+ #include <math.h>
++#include <limits.h>
+
+ /* #define SL_APP_WANTS_FOREACH */
+ #include "slang.h"
+@@ -312,6 +313,26 @@
+ free_array (at);
+ }
+
++/* Here, a and b are assumed to be non-negative */
++static int check_overflow_mult_i (SLindex_Type a, SLindex_Type b, SLindex_Type *cp)
++{
++ if ((a < 0) || (b < 0) || ((b > 0) && (a > INT_MAX/b)))
++ return -1;
++
++ *cp = a*b;
++
++ return 0;
++}
++
++static int check_overflow_mult_ui (SLuindex_Type a, SLindex_Type b, SLuindex_Type *cp)
++{
++ if ((b < 0) || ((b > 0) && (a > UINT_MAX/(SLuindex_Type)b)))
++ return -1;
++
++ *cp = a*(SLuindex_Type)b;
++ return 0;
++}
++
+ SLang_Array_Type *
+ SLang_create_array1 (SLtype type, int read_only, VOID_STAR data,
+ SLindex_Type *dims, unsigned int num_dims, int no_init)
+@@ -366,16 +387,14 @@
+ num_elements = 1;
+ for (i = 0; i < num_dims; i++)
+ {
+- SLindex_Type new_num_elements;
+ at->dims[i] = dims[i];
+- new_num_elements = dims[i] * num_elements;
+- if (dims[i] && (new_num_elements/dims[i] != num_elements))
++
++ if (-1 == check_overflow_mult_i (num_elements, dims[i], &num_elements))
+ {
+ throw_size_error (SL_Index_Error);
+ free_array (at);
+ return NULL;
+ }
+- num_elements = new_num_elements;
+ }
+
+ /* Now set the rest of the unused dimensions to 1. This makes it easier
+@@ -395,8 +414,10 @@
+ return at;
+ }
+
+- size = (num_elements * sizeof_type);
+- if ((size/sizeof_type != num_elements) || (size < 0))
++ /* SLmalloc is currently limited to the use of unsigned integers.
++ * So include the size of the type as well.
++ */
++ if (-1 == check_overflow_mult_i (num_elements, sizeof_type, &size))
+ {
+ throw_size_error (SL_INVALID_PARM);
+ free_array (at);
+@@ -1103,7 +1124,6 @@
+ total_num_elements = 1;
+ for (i = 0; i < num_indices; i++)
+ {
+- SLuindex_Type new_total_num_elements;
+ SLang_Object_Type *obj = index_objs + i;
+ range_delta_buf [i] = 0;
+
+@@ -1145,13 +1165,11 @@
+ }
+ }
+
+- new_total_num_elements = total_num_elements * max_dims[i];
+- if (max_dims[i] && (new_total_num_elements/max_dims[i] != total_num_elements))
++ if (-1 == check_overflow_mult_ui (total_num_elements, max_dims[i], &total_num_elements))
+ {
+ throw_size_error (SL_INVALID_PARM);
+ return -1;
+ }
+- total_num_elements = new_total_num_elements;
+ }
+
+ *num_elements = total_num_elements;