Patch to fix bounds checking/overflow.

Obtained from: OpenBSD
2002-07-31 12:50:28 +00:00 · 2002-07-31 12:50:28 +00:00 · 7fc37b7c09
commit 7fc37b7c09
parent eeebf53e24
1 changed files with 4 additions and 3 deletions
--- a/lib/libc/xdr/xdr_array.c
+++ b/lib/libc/xdr/xdr_array.c
@ -78,11 +78,12 @@ xdr_array(xdrs, addrp, sizep, maxsize, elsize, elproc)
 	u_int nodesize;

 	/* like strings, arrays are really counted arrays */
-	if (! xdr_u_int(xdrs, sizep)) {
+	if (!xdr_u_int(xdrs, sizep)) {
 		return (FALSE);
 	}
 	c = *sizep;
-	if ((c > maxsize) && (xdrs->x_op != XDR_FREE)) {
+	if ((c > maxsize && UINT_MAX/elsize < c) &&
+	    (xdrs->x_op != XDR_FREE)) {
 		return (FALSE);
 	}
 	nodesize = c * elsize;
@ -152,7 +153,7 @@ xdr_vector(xdrs, basep, nelem, elemsize, xdr_elem)

 	elptr = basep;
 	for (i = 0; i < nelem; i++) {
-		if (! (*xdr_elem)(xdrs, elptr)) {
+		if (!(*xdr_elem)(xdrs, elptr)) {
 			return(FALSE);
 		}
 		elptr += elemsize;