42 lines
1.0 KiB
Diff
42 lines
1.0 KiB
Diff
commit 2f5c1750558fe64bac361f52d6827ab1bcfe52bc
|
|
Author: Ondřej Bílka <neleai@seznam.cz>
|
|
Date: Sat Jul 11 17:44:10 2015 +0200
|
|
|
|
Handle overflow in __hcreate_r
|
|
|
|
Hi,
|
|
|
|
As in bugzilla entry there is overflow in hsearch when looking for prime
|
|
number as SIZE_MAX - 1 is divisible by 5. We fix that by rejecting large
|
|
inputs before looking for prime.
|
|
|
|
* misc/hsearch_r.c (__hcreate_r): Handle overflow.
|
|
|
|
diff --git a/misc/hsearch_r.c b/misc/hsearch_r.c
|
|
index 9f55e84..559df29 100644
|
|
--- a/misc/hsearch_r.c
|
|
+++ b/misc/hsearch_r.c
|
|
@@ -19,7 +19,7 @@
|
|
#include <errno.h>
|
|
#include <malloc.h>
|
|
#include <string.h>
|
|
-
|
|
+#include <stdint.h>
|
|
#include <search.h>
|
|
|
|
/* [Aho,Sethi,Ullman] Compilers: Principles, Techniques and Tools, 1986
|
|
@@ -73,6 +73,13 @@ __hcreate_r (nel, htab)
|
|
return 0;
|
|
}
|
|
|
|
+ if (nel >= SIZE_MAX / sizeof (_ENTRY))
|
|
+ {
|
|
+ __set_errno (ENOMEM);
|
|
+ return 0;
|
|
+ }
|
|
+
|
|
+
|
|
/* There is still another table active. Return with error. */
|
|
if (htab->table != NULL)
|
|
return 0;
|