From fe8ffd9ba4d896d57f00a91f83c0ce805cf6b96d Mon Sep 17 00:00:00 2001 From: Paul Eggert Date: Mon, 9 Sep 2024 16:01:42 -0700 Subject: [PATCH] Fix implausible overflow when reading symlinks * src/safe.c (read_symlink): Check for integer overflow in bufferi size calculation. --- src/safe.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/src/safe.c b/src/safe.c index f456085..502446d 100644 --- a/src/safe.c +++ b/src/safe.c @@ -317,7 +317,10 @@ static struct symlink *read_symlink(int dirfd, const char *name) errno = saved_errno; return nullptr; } - symlink = xmalloc (sizeof (*symlink) + st.st_size + 1); + idx_t symlinksize; + if (ckd_add (&symlinksize, st.st_size, 1 + sizeof *symlink)) + xalloc_die (); + symlink = ximalloc (symlinksize); buffer = (char *)(symlink + 1); ret = readlinkat (dirfd, name, buffer, st.st_size); if (ret <= 0)