If len is INT_MAX in mem_pool_strvfmt(), then len + 1 overflows.
Casting it to size_t would prevent that. Use st_add() to go a step
further and make the addition *obviously* safe. The compiler can
optimize the check away on platforms where SIZE_MAX > INT_MAX, i.e.
basically everywhere.
Signed-off-by: René Scharfe <l.s.r@xxxxxx>
---
mem-pool.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/mem-pool.c b/mem-pool.c
index 2078c22b09..3065b12b23 100644
--- a/mem-pool.c
+++ b/mem-pool.c
@@ -115,6 +115,7 @@ static char *mem_pool_strvfmt(struct mem_pool *pool, const char *fmt,
size_t available = block ? block->end - block->next_free : 0;
va_list cp;
int len, len2;
+ size_t size;
char *ret;
va_copy(cp, ap);
@@ -123,13 +124,14 @@ static char *mem_pool_strvfmt(struct mem_pool *pool, const char *fmt,
if (len < 0)
BUG("your vsnprintf is broken (returned %d)", len);
- ret = mem_pool_alloc(pool, len + 1); /* 1 for NUL */
+ size = st_add(len, 1); /* 1 for NUL */
+ ret = mem_pool_alloc(pool, size);
/* Shortcut; relies on mem_pool_alloc() not touching buffer contents. */
if (ret == next_free)
return ret;
- len2 = vsnprintf(ret, len + 1, fmt, ap);
+ len2 = vsnprintf(ret, size, fmt, ap);
if (len2 != len)
BUG("your vsnprintf is broken (returns inconsistent lengths)");
return ret;
--
2.44.0
