index : packages | |
Archlinux32 package modifications | gitolite user |
summaryrefslogtreecommitdiff |
-rw-r--r-- | extra/slang/slang-2.3.2-integer-array-overflow.patch | 93 |
diff --git a/extra/slang/slang-2.3.2-integer-array-overflow.patch b/extra/slang/slang-2.3.2-integer-array-overflow.patch new file mode 100644 index 00000000..2b30d219 --- /dev/null +++ b/extra/slang/slang-2.3.2-integer-array-overflow.patch @@ -0,0 +1,93 @@ +diff -rauN slang-2.3.2/src/slarray.c slang-2.3.2-integer-array-overflow-patch/src/slarray.c +--- slang-2.3.2/src/slarray.c 2018-03-05 00:16:36.000000000 +0100 ++++ slang-2.3.2-integer-array-overflow-patch/src/slarray.c 2022-01-17 19:48:27.177748577 +0100 +@@ -22,6 +22,7 @@ + + #include "slinclud.h" + #include <math.h> ++#include <limits.h> + + /* #define SL_APP_WANTS_FOREACH */ + #include "slang.h" +@@ -312,6 +313,26 @@ + free_array (at); + } + ++/* Here, a and b are assumed to be non-negative */ ++static int check_overflow_mult_i (SLindex_Type a, SLindex_Type b, SLindex_Type *cp) ++{ ++ if ((a < 0) || (b < 0) || ((b > 0) && (a > INT_MAX/b))) ++ return -1; ++ ++ *cp = a*b; ++ ++ return 0; ++} ++ ++static int check_overflow_mult_ui (SLuindex_Type a, SLindex_Type b, SLuindex_Type *cp) ++{ ++ if ((b < 0) || ((b > 0) && (a > UINT_MAX/(SLuindex_Type)b))) ++ return -1; ++ ++ *cp = a*(SLuindex_Type)b; ++ return 0; ++} ++ + SLang_Array_Type * + SLang_create_array1 (SLtype type, int read_only, VOID_STAR data, + SLindex_Type *dims, unsigned int num_dims, int no_init) +@@ -366,16 +387,14 @@ + num_elements = 1; + for (i = 0; i < num_dims; i++) + { +- SLindex_Type new_num_elements; + at->dims[i] = dims[i]; +- new_num_elements = dims[i] * num_elements; +- if (dims[i] && (new_num_elements/dims[i] != num_elements)) ++ ++ if (-1 == check_overflow_mult_i (num_elements, dims[i], &num_elements)) + { + throw_size_error (SL_Index_Error); + free_array (at); + return NULL; + } +- num_elements = new_num_elements; + } + + /* Now set the rest of the unused dimensions to 1. This makes it easier +@@ -395,8 +414,10 @@ + return at; + } + +- size = (num_elements * sizeof_type); +- if ((size/sizeof_type != num_elements) || (size < 0)) ++ /* SLmalloc is currently limited to the use of unsigned integers. ++ * So include the size of the type as well. ++ */ ++ if (-1 == check_overflow_mult_i (num_elements, sizeof_type, &size)) + { + throw_size_error (SL_INVALID_PARM); + free_array (at); +@@ -1103,7 +1124,6 @@ + total_num_elements = 1; + for (i = 0; i < num_indices; i++) + { +- SLuindex_Type new_total_num_elements; + SLang_Object_Type *obj = index_objs + i; + range_delta_buf [i] = 0; + +@@ -1145,13 +1165,11 @@ + } + } + +- new_total_num_elements = total_num_elements * max_dims[i]; +- if (max_dims[i] && (new_total_num_elements/max_dims[i] != total_num_elements)) ++ if (-1 == check_overflow_mult_ui (total_num_elements, max_dims[i], &total_num_elements)) + { + throw_size_error (SL_INVALID_PARM); + return -1; + } +- total_num_elements = new_total_num_elements; + } + + *num_elements = total_num_elements; |