From 2b68bdf4ba57e052b41cbfe6349deb2b0a401442 Mon Sep 17 00:00:00 2001 From: Tatsuya Kinoshita Date: Tue, 2 Mar 2021 19:48:39 +0900 Subject: Prevent large memory usage and null-deref in Str.c Bug-Chromium: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=31579 Bug-Chromium: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=31589 --- Str.c | 28 +++++++++++++++++++++++++++- 1 file changed, 27 insertions(+), 1 deletion(-) (limited to 'Str.c') diff --git a/Str.c b/Str.c index 03e0950..0786ec1 100644 --- a/Str.c +++ b/Str.c @@ -26,7 +26,7 @@ #include "myctype.h" #define INITIAL_STR_SIZE 32 -#define STR_SIZE_MAX (INT_MAX - 1) +#define STR_SIZE_MAX (INT_MAX / 8) #ifdef STR_DEBUG /* This is obsolete, because "Str" can handle a '\0' character now. */ @@ -39,7 +39,11 @@ Str Strnew() { Str x = GC_MALLOC(sizeof(struct _Str)); + if (x == NULL) + exit(1); x->ptr = GC_MALLOC_ATOMIC(INITIAL_STR_SIZE); + if (x->ptr == NULL) + exit(1); x->ptr[0] = '\0'; x->area_size = INITIAL_STR_SIZE; x->length = 0; @@ -50,9 +54,13 @@ Str Strnew_size(int n) { Str x = GC_MALLOC(sizeof(struct _Str)); + if (x == NULL) + exit(1); if (n < 0 || n >= STR_SIZE_MAX) n = STR_SIZE_MAX - 1; x->ptr = GC_MALLOC_ATOMIC(n + 1); + if (x->ptr == NULL) + exit(1); x->ptr[0] = '\0'; x->area_size = n + 1; x->length = 0; @@ -68,10 +76,14 @@ Strnew_charp(const char *p) if (p == NULL) return Strnew(); x = GC_MALLOC(sizeof(struct _Str)); + if (x == NULL) + exit(1); n = strlen(p) + 1; if (n <= 0 || n > STR_SIZE_MAX) n = STR_SIZE_MAX; x->ptr = GC_MALLOC_ATOMIC(n); + if (x->ptr == NULL) + exit(1); x->area_size = n; x->length = n - 1; bcopy((void *)p, (void *)x->ptr, n - 1); @@ -101,9 +113,13 @@ Strnew_charp_n(const char *p, int n) if (p == NULL) return Strnew_size(n); x = GC_MALLOC(sizeof(struct _Str)); + if (x == NULL) + exit(1); if (n < 0 || n >= STR_SIZE_MAX) n = STR_SIZE_MAX - 1; x->ptr = GC_MALLOC_ATOMIC(n + 1); + if (x->ptr == NULL) + exit(1); x->area_size = n + 1; x->length = n; bcopy((void *)p, (void *)x->ptr, n); @@ -142,6 +158,8 @@ Strcopy(Str x, Str y) if (x->area_size < y->length + 1) { GC_free(x->ptr); x->ptr = GC_MALLOC_ATOMIC(y->length + 1); + if (x->ptr == NULL) + exit(1); x->area_size = y->length + 1; } bcopy((void *)y->ptr, (void *)x->ptr, y->length + 1); @@ -165,6 +183,8 @@ Strcopy_charp(Str x, const char *y) if (x->area_size < len + 1) { GC_free(x->ptr); x->ptr = GC_MALLOC_ATOMIC(len + 1); + if (x->ptr == NULL) + exit(1); x->area_size = len + 1; } bcopy((void *)y, (void *)x->ptr, len); @@ -188,6 +208,8 @@ Strcopy_charp_n(Str x, const char *y, int n) if (x->area_size < len + 1) { GC_free(x->ptr); x->ptr = GC_MALLOC_ATOMIC(len + 1); + if (x->ptr == NULL) + exit(1); x->area_size = len + 1; } bcopy((void *)y, (void *)x->ptr, len); @@ -216,6 +238,8 @@ Strcat_charp_n(Str x, const char *y, int n) if (newlen <= 0 || newlen > STR_SIZE_MAX) newlen = STR_SIZE_MAX; x->ptr = GC_MALLOC_ATOMIC(newlen); + if (x->ptr == NULL) + exit(1); x->area_size = newlen; bcopy((void *)old, (void *)x->ptr, x->length); GC_free(old); @@ -265,6 +289,8 @@ Strgrow(Str x) x->length = newlen - 2; } x->ptr = GC_MALLOC_ATOMIC(newlen); + if (x->ptr == NULL) + exit(1); x->area_size = newlen; bcopy((void *)old, (void *)x->ptr, x->length); x->ptr[x->length] = '\0'; -- cgit v1.2.3