[libvirt] [PATCH] buf: protect against integer overflow
Eric Blake
eblake at redhat.com
Fri Jun 24 20:08:11 UTC 2011
It's unlikely that we'll ever want to escape a string as long as
INT_MAX/6, but adding this check can't hurt.
* src/util/buf.c (virBufferEscapeSexpr, virBufferEscapeString):
Check for (unlikely) overflow.
---
src/util/buf.c | 6 ++++--
1 files changed, 4 insertions(+), 2 deletions(-)
diff --git a/src/util/buf.c b/src/util/buf.c
index 750e277..5002486 100644
--- a/src/util/buf.c
+++ b/src/util/buf.c
@@ -311,7 +311,8 @@ virBufferEscapeString(const virBufferPtr buf, const char *format, const char *st
return;
}
- if (VIR_ALLOC_N(escaped, 6 * len + 1) < 0) {
+ if (xalloc_oversized(6, len) ||
+ VIR_ALLOC_N(escaped, 6 * len + 1) < 0) {
virBufferSetError(buf);
return;
}
@@ -398,7 +399,8 @@ virBufferEscapeSexpr(const virBufferPtr buf,
return;
}
- if (VIR_ALLOC_N(escaped, 2 * len + 1) < 0) {
+ if (xalloc_oversized(2, len) ||
+ VIR_ALLOC_N(escaped, 2 * len + 1) < 0) {
virBufferSetError(buf);
return;
}
--
1.7.4.4
More information about the libvir-list
mailing list