summaryrefslogtreecommitdiff
path: root/extra/slang/slang-2.3.2-integer-array-overflow.patch
blob: 2b30d2193a901884abe522048a3ce3a25d2adc03 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
diff -rauN slang-2.3.2/src/slarray.c slang-2.3.2-integer-array-overflow-patch/src/slarray.c
--- slang-2.3.2/src/slarray.c	2018-03-05 00:16:36.000000000 +0100
+++ slang-2.3.2-integer-array-overflow-patch/src/slarray.c	2022-01-17 19:48:27.177748577 +0100
@@ -22,6 +22,7 @@
 
 #include "slinclud.h"
 #include <math.h>
+#include <limits.h>
 
 /* #define SL_APP_WANTS_FOREACH */
 #include "slang.h"
@@ -312,6 +313,26 @@
    free_array (at);
 }
 
+/* Here, a and b are assumed to be non-negative */
+static int check_overflow_mult_i (SLindex_Type a, SLindex_Type b, SLindex_Type *cp)
+{
+   if ((a < 0) || (b < 0) || ((b > 0) && (a > INT_MAX/b)))
+     return -1;
+
+   *cp = a*b;
+
+   return 0;
+}
+
+static int check_overflow_mult_ui (SLuindex_Type a, SLindex_Type b, SLuindex_Type *cp)
+{
+   if ((b < 0) || ((b > 0) && (a > UINT_MAX/(SLuindex_Type)b)))
+     return -1;
+
+   *cp = a*(SLuindex_Type)b;
+   return 0;
+}
+
 SLang_Array_Type *
 SLang_create_array1 (SLtype type, int read_only, VOID_STAR data,
 		     SLindex_Type *dims, unsigned int num_dims, int no_init)
@@ -366,16 +387,14 @@
    num_elements = 1;
    for (i = 0; i < num_dims; i++)
      {
-	SLindex_Type new_num_elements;
 	at->dims[i] = dims[i];
-	new_num_elements = dims[i] * num_elements;
-	if (dims[i] && (new_num_elements/dims[i] != num_elements))
+
+	if (-1 == check_overflow_mult_i (num_elements, dims[i], &num_elements))
 	  {
 	     throw_size_error (SL_Index_Error);
 	     free_array (at);
 	     return NULL;
 	  }
-	num_elements = new_num_elements;
      }
 
    /* Now set the rest of the unused dimensions to 1.  This makes it easier
@@ -395,8 +414,10 @@
 	return at;
      }
 
-   size = (num_elements * sizeof_type);
-   if ((size/sizeof_type != num_elements) || (size < 0))
+   /* SLmalloc is currently limited to the use of unsigned integers.
+    * So include the size of the type as well.
+    */
+   if (-1 == check_overflow_mult_i (num_elements, sizeof_type, &size))
      {
 	throw_size_error (SL_INVALID_PARM);
 	free_array (at);
@@ -1103,7 +1124,6 @@
    total_num_elements = 1;
    for (i = 0; i < num_indices; i++)
      {
-	SLuindex_Type new_total_num_elements;
 	SLang_Object_Type *obj = index_objs + i;
 	range_delta_buf [i] = 0;
 
@@ -1145,13 +1165,11 @@
 	       }
 	  }
 
-	new_total_num_elements = total_num_elements * max_dims[i];
-	if (max_dims[i] && (new_total_num_elements/max_dims[i] != total_num_elements))
+	if (-1 == check_overflow_mult_ui (total_num_elements, max_dims[i], &total_num_elements))
 	  {
 	     throw_size_error (SL_INVALID_PARM);
 	     return -1;
 	  }
-       total_num_elements = new_total_num_elements;
      }
 
    *num_elements = total_num_elements;