emo/procps
1
0
Fork 0
Code Issues Pull Requests Packages Releases Activity

0002-pgrep: Prevent integer overflow of list size.

Browse Source 
Not exploitable (not under an attacker's control), but still a potential
non-security problem. Copied, fixed, and used the grow_size() macro from
pidof.c.

Signed-off-by: Craig Small <csmall@enc.com.au>
This commit is contained in:
Qualys Security Advisory 1970-01-01 00:00:00 +00:00 committed by Craig Small
parent 80f9815f5f
commit 7c9a7d7cfe
1 changed files with 8 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
pgrep.c
View File

@ -69,6 +69,12 @@ enum rel_items {
EU_PID, EU_PPID, EU_PGRP, EU_EUID, EU_RUID, EU_RGID, EU_SESSION, EU_PID, EU_PPID, EU_PGRP, EU_EUID, EU_RUID, EU_RGID, EU_SESSION,
EU_TGID, EU_STARTTIME, EU_TTYNAME, EU_CMD, EU_CMDLINE EU_TGID, EU_STARTTIME, EU_TTYNAME, EU_CMD, EU_CMDLINE
}; };
#define grow_size(x) do { \
if ((x) < 0 || (size_t)(x) >= INT_MAX / 5 / sizeof(struct el)) \
xerrx(EXIT_FAILURE, _("integer overflow")); \
(x) = (x) * 5 / 4 + 4; \
} while (0)
static int i_am_pkill = 0; static int i_am_pkill = 0;
struct el { struct el {
@ -173,7 +179,7 @@ static struct el *split_list (const char *restrict str, int (*convert)(const cha
do { do {
if (i == size) { if (i == size) {
size = size * 5 / 4 + 4; grow_size(size);
/* add 1 because slot zero is a count */ /* add 1 because slot zero is a count */
list = xrealloc (list, (1 + size) * sizeof *list); list = xrealloc (list, (1 + size) * sizeof *list);
} }
@ -575,7 +581,7 @@ static struct el * select_procs (int *num)
matches = 0; matches = 0;
} }
if (matches == size) { if (matches == size) {
size = size * 5 / 4 + 4; grow_size(size);
list = xrealloc(list, size * sizeof *list); list = xrealloc(list, size * sizeof *list);
} }
if (list && (opt_long || opt_longlong || opt_echo)) { if (list && (opt_long || opt_longlong || opt_echo)) {