find_script: avoid potential integer overflow #23654
Conversation
Fixes a Coverity issue:
>>> function_return: Function Perl_delimcpy_no_escape(tmpbuf, tmpbuf + 4096UL, s, bufend, 58, &len) modifies its argument, assigning 2147483647 to len.
3553 s = delimcpy_no_escape(tmpbuf, tmpbuf + sizeof tmpbuf, s, bufend,
3554 ':', &len);
>>> CID 583353: (Perl#1 of 1): Overflowed constant (INTEGER_OVERFLOW)
>>> overflow_const: Expression len + 1, where len is known to be equal to 2147483647, overflows the type of len + 1, which is type int.
3558 if (len + 1 + strlen(scriptname) + MAX_EXT_LEN >= sizeof tmpbuf)
3559 continue; /* don't search dir with too-long name */
If there is not enough available space in tmpbuf, delimcpy_no_escape
sets len to I32_MAX, but the following code does not check for this. (I
believe this case is reachable simply by setting PATH to a huge string.)
Avoid the potential overflow by rewriting
A + B >= C
as
A >= C - B
(Also, make 'len' unsigned (specifically, size_t) to match the type of
sizeof/strlen() and avoid warnings about comparisons between signed and
unsigned integers.)
Would it be feasible to write a regression test for this? |
I don't think so. You can get |
tonycoz
left a comment
tonycoz
left a comment
There was a problem hiding this comment.
I'll admit this makes me want a new UI for delimcpy_no_escape(), though I'm not sure what that would be.
3 participants
Fixes a Coverity issue:
If there is not enough available space in tmpbuf, delimcpy_no_escape sets len to I32_MAX, but the following code does not check for this. (I believe this case is reachable simply by setting PATH to a huge string.)
Avoid the potential overflow by rewriting
as
(Also, make 'len' unsigned (specifically, size_t) to match the type of sizeof/strlen() and avoid warnings about comparisons between signed and unsigned integers.)