From f7fee036c1290ebeb4d557f59d333751251c40fe Mon Sep 17 00:00:00 2001
From: leitner <leitner>
Date: Fri, 14 Mar 2014 18:56:07 +0000
Subject: [PATCH]   SECURITY: check for integer overflow in stralloc_ready

---
 CHANGES                   |  1 +
 stralloc/stralloc_free.c  |  1 +
 stralloc/stralloc_ready.c |  2 +-
 test/marshal.c            | 53 +++++++++++++++++++++++++++++++++++++--
 4 files changed, 54 insertions(+), 3 deletions(-)

diff --git a/CHANGES b/CHANGES
index 1065a5c..d46e2b0 100644
--- a/CHANGES
+++ b/CHANGES
@@ -10,6 +10,7 @@
   added fmt_escapechar* to fmt.h (implement various escaping mechanisms also found in textcode but for a single char not a whole string, and they always escape, not just when they think it's needed)
   scan_ushort was supposed to abort early and return 5 when attempting to parse "65536", because the result does not fit.  It did not.  Now it does.
   scan_*long, scan_*int, scan_*short now properly abort if the number would not fit
+  SECURITY: check for integer overflow in stralloc_ready
 
 0.29:
   save 8 bytes in taia.h for 64-bit systems
diff --git a/stralloc/stralloc_free.c b/stralloc/stralloc_free.c
index c5e5a4d..2d0f324 100644
--- a/stralloc/stralloc_free.c
+++ b/stralloc/stralloc_free.c
@@ -4,4 +4,5 @@
 void stralloc_free(stralloc *sa) {
   if (sa->s) free(sa->s);
   sa->s=0;
+  sa->a=sa->len=0;
 }
diff --git a/stralloc/stralloc_ready.c b/stralloc/stralloc_ready.c
index e0129e8..dee19b5 100644
--- a/stralloc/stralloc_ready.c
+++ b/stralloc/stralloc_ready.c
@@ -9,7 +9,7 @@
  * old space, and returns 1. Note that this changes sa.s. */
 int stralloc_ready(stralloc *sa,size_t len) {
   register size_t wanted=len+(len>>3)+30; /* heuristic from djb */
-  if (!sa->s || sa->a<len) {
+  if (wanted<len || !sa->s || sa->a<len) {
     register char* tmp;
     if (!(tmp=realloc(sa->s,wanted)))
       return 0;
diff --git a/test/marshal.c b/test/marshal.c
index 18f8325..9062381 100644
--- a/test/marshal.c
+++ b/test/marshal.c
@@ -1,14 +1,20 @@
+#include <assert.h>
+
+#include <stdio.h>
+#include <stdlib.h>
+
 #include <fmt.h>
 #include <scan.h>
 #include <textcode.h>
 #include <byte.h>
-#include <assert.h>
-
 #include <uint16.h>
 #include <uint32.h>
 #include <uint64.h>
+#include <openreadclose.h>
+#include <mmap.h>
 
 char buf[100];
+stralloc sa;
 
 void zap() { size_t i; for (i=0; i<sizeof(buf); ++i) buf[i]='_'; }
 
@@ -26,6 +32,13 @@ int main() {
   signed int i;
   signed short s;
 
+  long flen;
+  char* stdiocopy;
+
+#ifdef NDEBUG
+#error This is a unit test that uses assert() or all checks, compile without -DNDEBUG!
+#endif
+
   // check utf8 encoding
   zap(); assert(fmt_utf8(NULL,12345) == 3);
   zap(); assert(fmt_utf8(buf,12345) == 3 && byte_equal(buf,4,"\xe3\x80\xb9_"));
@@ -306,5 +319,41 @@ int main() {
     }
   }
 
+  {
+    char* mmapcopy;
+    FILE* f;
+    size_t mlen;
+    assert(f=fopen("test/marshal.c","rb"));
+    assert(fseek(f,0,SEEK_END)==0);
+    flen=ftell(f);
+    assert(flen>4096);
+    fseek(f,0,SEEK_SET);
+    assert(stdiocopy=malloc(flen));
+    assert(fread(stdiocopy,1,flen,f)==flen);
+    fclose(f);
+
+    assert(openreadclose("test/marshal.c",&sa,4096)==1);
+    assert(sa.len == flen);
+    assert(byte_equal(sa.s,flen,stdiocopy));
+
+    assert((mmapcopy=mmap_read("test/marshal.c",&mlen)) && mlen==flen);
+    assert(byte_equal(sa.s,flen,mmapcopy));
+    mmap_unmap(mmapcopy,mlen);
+  }
+
+  stralloc_free(&sa);
+
+  assert(stralloc_ready(&sa,0x1000));
+  assert(sa.a >= 0x1000);
+  assert(stralloc_copyb(&sa,stdiocopy,0x900));
+  assert(sa.len == 0x900);
+  assert(stralloc_catb(&sa,stdiocopy+0x900,0x700));
+  assert(sa.len == 0x1000);
+  assert(byte_equal(sa.s,0x1000,stdiocopy));
+  assert(stralloc_readyplus(&sa,0x1000));
+  assert(sa.a >= 0x2000);
+  assert(stralloc_readyplus(&sa,(size_t)-1)==0);
+  assert(stralloc_ready(&sa,(size_t)-1)==0);
+
   return 0;
 }