The FreeBSD patch says:
> c = *sizep;
> - if ((c > maxsize) && (xdrs->x_op != XDR_FREE)) {
> + if ((c > maxsize && UINT_MAX/elsize < c) &&
> + (xdrs->x_op != XDR_FREE)) {
> return (FALSE);
> }
Is this fix correct? Previously, xdr_array would return false if the
count of items passed in was larger than the maximum; now it only
returns false if it's both larger than the maximum _and_ larger than
the amount that can be safely calculated. In the event that *sizep >
maxsize but *sizep <= UINT_MAX/elsize, the return (FALSE) will never
be hit, whereas it would be in the original version of the
code. Shouldn't the first && be ||?
It looks like glibc, dietlibc and uClibc carry xdr_array code derived
from the same source, so they might require similar fixes.
--
Adam Sampson <azz@gnu.org> <URL:http://azz.us-lot.org/>
