[gmime: 4/6] Fix integer overflow in decode_int() and get_time()

From: Jeffrey Stedfast <fejj src gnome org>
To: commits-list gnome org
Cc:
Subject: [gmime: 4/6] Fix integer overflow in decode_int() and get_time()
Date: Fri, 20 Oct 2017 15:04:30 +0000 (UTC)

commit 7b3d77ae3776c93fbba4823299ef46c5e8c674f9
Author: Jakub Wilk <jwilk jwilk net>
Date:   Sat Oct 7 21:49:48 2017 +0200

    Fix integer overflow in decode_int() and get_time()

 gmime/gmime-utils.c |   13 ++++++++++---
 1 files changed, 10 insertions(+), 3 deletions(-)
---
diff --git a/gmime/gmime-utils.c b/gmime/gmime-utils.c
index 6661ea6..f21e8d5 100644
--- a/gmime/gmime-utils.c
+++ b/gmime/gmime-utils.c
@@ -305,7 +305,8 @@ decode_int (const char *in, size_t inlen)
        while (inptr < inend) {
                if (!(*inptr >= '0' && *inptr <= '9'))
                        return -1;
-               
+               if (val > (INT_MAX - (*inptr - '0')) / 10)
+                       return -1;
                val = (val * 10) + (*inptr - '0');
                inptr++;
        }
@@ -418,30 +419,36 @@ static gboolean
 get_time (const char *in, size_t inlen, int *hour, int *min, int *sec)
 {
        register const char *inptr;
-       int *val, colons = 0;
+       int *val, max, colons = 0;
        const char *inend;
        
        *hour = *min = *sec = 0;
        
        inend = in + inlen;
        val = hour;
+       max = 23;
        for (inptr = in; inptr < inend; inptr++) {
                if (*inptr == ':') {
                        colons++;
                        switch (colons) {
                        case 1:
                                val = min;
+                               max = 59;
                                break;
                        case 2:
                                val = sec;
+                               max = 60;
                                break;
                        default:
                                return FALSE;
                        }
                } else if (!(*inptr >= '0' && *inptr <= '9'))
                        return FALSE;
-               else
+               else {
                        *val = (*val * 10) + (*inptr - '0');
+                       if (*val > max)
+                               return FALSE;
+               }
        }
        
        return TRUE;

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]