fix another strdup() on unterminated input in mapi_attr.c

verdammelt · Oct 31, 2019 · 3ae8b93 · 3ae8b93
1 parent 3993ca1
commit 3ae8b93
Show file tree

Hide file tree

Showing 3 changed files with 17 additions and 11 deletions.
diff --git a/src/alloc.c b/src/alloc.c
@@ -76,13 +76,14 @@ alloc_limit_assert (char *fn_name, size_t size)
 
 /* attempts to malloc memory, if fails print error and call abort */
 void*
-xmalloc (size_t num, size_t size)
+xmalloc (size_t num, size_t size, size_t extra)
 {
     size_t res;
     if (check_mul_overflow(num, size, &res))
         abort();
-
-    void *ptr = malloc (res);
+    if (res + extra < res)
+        abort();
+    void *ptr = malloc (res + extra);
     if (!ptr
         && (size != 0))         /* some libc don't like size == 0 */
     {
@@ -94,14 +95,15 @@ xmalloc (size_t num, size_t size)
 
 /* Allocates memory but only up to a limit */
 void*
-checked_xmalloc (size_t num, size_t size)
+checked_xmalloc (size_t num, size_t size, size_t extra)
 {
     size_t res;
     if (check_mul_overflow(num, size, &res))
         abort();
-
+    if (res + extra < res)
+        abort();
     alloc_limit_assert ("checked_xmalloc", res);
-    return xmalloc (num, size);
+    return xmalloc (num, size, extra);
 }
 
 /* xmallocs memory and clears it out */

diff --git a/src/alloc.h b/src/alloc.h
@@ -35,17 +35,19 @@ extern void free (void*);
 extern void set_alloc_limit (size_t size);
 extern size_t get_alloc_limit();
 extern void alloc_limit_assert (char *fn_name, size_t size);
-extern void* checked_xmalloc (size_t num, size_t size);
-extern void* xmalloc (size_t num, size_t size);
+extern void* checked_xmalloc (size_t num, size_t size, size_t extra);
+extern void* xmalloc (size_t num, size_t size, size_t extra);
 extern void* checked_xcalloc (size_t num, size_t size, size_t extra);
 extern void* xcalloc (size_t num, size_t size, size_t extra);
 
 #define XMALLOC(_type,_num)			                \
-        ((_type*)xmalloc((_num), sizeof(_type)))
+  ((_type*)xmalloc((_num), sizeof(_type), 0))
 #define XCALLOC(_type,_num) 				        \
   ((_type*)xcalloc((_num), sizeof (_type), 0))
 #define CHECKED_XMALLOC(_type,_num) 			        \
-        ((_type*)checked_xmalloc((_num),sizeof(_type)))
+  ((_type*)checked_xmalloc((_num),sizeof(_type),0))
+#define CHECKED_XMALLOC_ADDNULL(_type,_num) 			        \
+  ((_type*)checked_xmalloc((_num),sizeof(_type),1))
 #define CHECKED_XCALLOC(_type,_num)			\
   ((_type*)checked_xcalloc((_num),sizeof(_type),0))
 #define CHECKED_XCALLOC_ADDNULL(_type,_num)		\

diff --git a/src/mapi_attr.c b/src/mapi_attr.c
@@ -316,8 +316,10 @@ mapi_attr_read (size_t len, unsigned char *buf)
                 }
                 else
                 {
-                    v->data.buf = CHECKED_XMALLOC(unsigned char, v->len);
+		  /* add space for a null terminator, in case of evil input */
+                    v->data.buf = CHECKED_XMALLOC_ADDNULL(unsigned char, v->len);
                     memmove (v->data.buf, buf+idx, v->len);
+		    v->data.buf[v->len] = '\0';
                 }
 
                 idx += pad_to_4byte(v->len);