diff options
| author | Tobias Stoeckmann <tobias@stoeckmann.org> | 2020-05-04 19:41:16 +0200 |
|---|---|---|
| committer | Tobias Stoeckmann <tobias@stoeckmann.org> | 2020-05-04 19:41:16 +0200 |
| commit | 099016b7e8d70a6d5dd814e788bba08d33d48426 (patch) | |
| tree | 8844c34a0c78be71e023c4eeb209d231a82bd38c /arraylist.c | |
| parent | 105900702410e8f2e8b3cecac5b19c6b7ca60bc5 (diff) | |
| download | json-c-099016b7e8d70a6d5dd814e788bba08d33d48426.tar.gz | |
Protect array_list_del_idx against size_t overflow.
If the assignment of stop overflows due to idx and count being
larger than SIZE_T_MAX in sum, out of boundary access could happen.
It takes invalid usage of this function for this to happen, but
I decided to add this check so array_list_del_idx is as safe against
bad usage as the other arraylist functions.
Diffstat (limited to 'arraylist.c')
| -rw-r--r-- | arraylist.c | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/arraylist.c b/arraylist.c index 12ad8af..e5524ac 100644 --- a/arraylist.c +++ b/arraylist.c @@ -136,6 +136,9 @@ int array_list_del_idx(struct array_list *arr, size_t idx, size_t count) { size_t i, stop; + /* Avoid overflow in calculation with large indices. */ + if (idx > SIZE_T_MAX - count) + return -1; stop = idx + count; if (idx >= arr->length || stop > arr->length) return -1; |