virFileReadLimFD always returns null-terminated data. To that end, it has to
add one to the maximum file size. If the maxium file size is INT_MAX, this
triggers a signed integer overflow.
There is no instance left where a caller would call virFileReadLimFD with a
maxium file size of INT_MAX. Make virFileReadLimFD error out if the maximum
file size is INT_MAX to prevent the reintroduction of this issue.
Signed-off-by: Tim Wiederhake <twiederh@xxxxxxxxxx>
---
src/util/virfile.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/util/virfile.c b/src/util/virfile.c
index 723e1ca6e5..b5600658d5 100644
--- a/src/util/virfile.c
+++ b/src/util/virfile.c
@@ -1418,7 +1418,7 @@ virFileReadLimFD(int fd, int maxlen, char **buf)
size_t len;
char *s;
- if (maxlen <= 0) {
+ if ((maxlen <= 0) || (maxlen >= INT_MAX)) {
errno = EINVAL;
return -1;
}
--
2.31.1
