From 6df9ffb3419abcab750ee2be0cde631e3df091b1 Mon Sep 17 00:00:00 2001 From: Qualys Security Advisory Date: Thu, 1 Jan 1970 00:00:00 +0000 Subject: [PATCH] pidof: Prevent integer overflows with grow_size(). Note: unlike "size" and "omit_size", "path_alloc_size" is not multiplied by "sizeof(struct el)" but the checks in grow_size() allow for a roughly 100MB path_alloc_size, which should be more than enough for readlink(). --- pidof.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/pidof.c b/pidof.c index 0220c888..f329d97d 100644 --- a/pidof.c +++ b/pidof.c @@ -20,6 +20,7 @@ #include #include +#include #include "c.h" #include "fileutils.h" @@ -29,7 +30,12 @@ #include "proc/version.h" /* procps_version */ -#define grow_size(x) (x = x * 5 / 4 + 1024) +#define grow_size(x) do { \ + if ((x) < 0 || (size_t)(x) >= INT_MAX / 5 / sizeof(struct el)) \ + xerrx(EXIT_FAILURE, _("integer overflow")); \ + (x) = (x) * 5 / 4 + 1024; \ +} while (0) + #define safe_free(x) if (x) { free(x); x=NULL; }