Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
upb_readfile() computes the size of the file that it plans to read by opening
it as a binary stream and then using fseek() / ftell(). This is not reliable.
Subclause 7.21.9.2 of the C standard stipulates that "a binary stream need not
meaningfully support fseek calls with a whence value of SEEK_END"; Additionally,
footnote 268 of subclause 7.21.3 says: "Setting the file position indicator to
end-of-file, as with fseek(file, 0, SEEK_END), has undefined behavior for a
binary stream". On non-POSIX systems, using fseek() to set the file position
indicator to end-of-file is not guaranteed to work. If the program tries to
allocate memory based on the result of fseek() / ftell(), the amount may be
incorrect, leading to a potential vulnerability.
To address this issue, we can simply use the file size provided by fstat(),
instead of fseek() / ftell(). Both the diagnosis and the resolution are
supported by recommendation FIO19-C of the SEI CERT C Coding Standard.
udp_readfile() also allocates a buffer that is one byte larger than the file,
presumably with the intention of making sure that the buffer is
null-terminated. However, it does not check the return value of malloc() to
ensure the allocation succeeded, and it does not actually null-terminate the
buffer. Fix that by explicitly null-terminating the buffer.