Browse code

core: protect for int value overflow on string convert

Daniel-Constantin Mierla authored on 28/11/2021 16:51:05
Showing 1 changed files
... ...
@@ -662,9 +662,10 @@ static inline int str2int(str* _s, unsigned int* _r)
662 662
 	str2unval(_s, _r);
663 663
 }
664 664
 
665
-#define str2snval(_s, _r) do { \
665
+#define str2snval(_s, _r, _vmin, _vmax) do { \
666 666
 		int i; \
667 667
 		int sign; \
668
+		long long ll; \
668 669
 		if (_s == NULL) return -1; \
669 670
 		if (_r == NULL) return -1; \
670 671
 		if (_s->len < 0) return -1; \
... ...
@@ -680,13 +681,25 @@ static inline int str2int(str* _s, unsigned int* _r)
680 681
 		} \
681 682
 		for(; i < _s->len; i++) { \
682 683
 			if ((_s->s[i] >= '0') && (_s->s[i] <= '9')) { \
684
+				if(*_r > _vmax/10) { \
685
+					return -1; \
686
+				} \
683 687
 				*_r *= 10; \
688
+				if(*_r > _vmax - (_s->s[i] - '0')) { \
689
+					return -1; \
690
+				} \
684 691
 				*_r += _s->s[i] - '0'; \
685 692
 			} else { \
686 693
 				return -1; \
687 694
 			} \
688 695
 		} \
689
-		*_r *= sign; \
696
+		if(sign < 0) { \
697
+			ll = (long long)(*_r) * sign; \
698
+			if(ll < _vmin) { \
699
+				return -1; \
700
+			} \
701
+			*_r *= sign; \
702
+		} \
690 703
 		return 0; \
691 704
 	} while(0)
692 705
 
... ...
@@ -695,7 +708,7 @@ static inline int str2int(str* _s, unsigned int* _r)
695 708
  */
696 709
 static inline int str2slong(str* _s, long* _r)
697 710
 {
698
-	str2snval(_s, _r);
711
+	str2snval(_s, _r, LONG_MIN, LONG_MAX);
699 712
 }
700 713
 
701 714
 
... ...
@@ -704,7 +717,7 @@ static inline int str2slong(str* _s, long* _r)
704 717
  */
705 718
 static inline int str2sint(str* _s, int* _r)
706 719
 {
707
-	str2snval(_s, _r);
720
+	str2snval(_s, _r, INT_MIN, INT_MAX);
708 721
 }
709 722
 
710 723