diff options
| author | Eric Hawicz <erh+git@nimenees.com> | 2020-05-15 21:02:37 -0400 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2020-05-15 21:02:37 -0400 |
| commit | 4467e94110678c19edb2e36ec9c7e31ef7561a43 (patch) | |
| tree | 8b6f46e6251979cc32a3e846bed90c9c05057920 /arraylist.c | |
| parent | 228881c8fc287182f284a58d8279a32fbeae0b7f (diff) | |
| parent | 5d6fa331418d49f1bd488553fd1cfa9ab023fabb (diff) | |
| download | json-c-0.14.tar.gz | |
Merge pull request #608 from besser82/topic/besser82/json-c-0.14/CVE-2020-12762json-c-0.14
json-c-0.14: Fix CVE-2020-12762 - json-c through 0.14 has an integer overflow and out-of-bounds write ...
Diffstat (limited to 'arraylist.c')
| -rw-r--r-- | arraylist.c | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/arraylist.c b/arraylist.c index 12ad8af..e5524ac 100644 --- a/arraylist.c +++ b/arraylist.c @@ -136,6 +136,9 @@ int array_list_del_idx(struct array_list *arr, size_t idx, size_t count) { size_t i, stop; + /* Avoid overflow in calculation with large indices. */ + if (idx > SIZE_T_MAX - count) + return -1; stop = idx + count; if (idx >= arr->length || stop > arr->length) return -1; |