|
@@ -394,6 +394,10 @@ buf_free(buf_t *buf)
|
|
{
|
|
{
|
|
if (!buf)
|
|
if (!buf)
|
|
return;
|
|
return;
|
|
|
|
+ if (BUG(buf_out->datalen >= INT_MAX || buf_in->datalen >= INT_MAX))
|
|
|
|
+ return;
|
|
|
|
+ if (BUG(buf_out->datalen >= INT_MAX - buf_in->datalen))
|
|
|
|
+ return;
|
|
|
|
|
|
buf_clear(buf);
|
|
buf_clear(buf);
|
|
buf->magic = 0xdeadbeef;
|
|
buf->magic = 0xdeadbeef;
|
|
@@ -1034,6 +1038,7 @@ buf_find_pos_of_char(char ch, buf_pos_t *out)
|
|
static inline int
|
|
static inline int
|
|
buf_pos_inc(buf_pos_t *pos)
|
|
buf_pos_inc(buf_pos_t *pos)
|
|
{
|
|
{
|
|
|
|
+ tor_assert(pos->pos < INT_MAX - 1);
|
|
++pos->pos;
|
|
++pos->pos;
|
|
if (pos->pos == (off_t)pos->chunk->datalen) {
|
|
if (pos->pos == (off_t)pos->chunk->datalen) {
|
|
if (!pos->chunk->next)
|
|
if (!pos->chunk->next)
|
|
@@ -1925,6 +1930,7 @@ buf_find_offset_of_char(buf_t *buf, char ch)
|
|
{
|
|
{
|
|
chunk_t *chunk;
|
|
chunk_t *chunk;
|
|
off_t offset = 0;
|
|
off_t offset = 0;
|
|
|
|
+ tor_assert(buf->datalen < INT_MAX);
|
|
for (chunk = buf->head; chunk; chunk = chunk->next) {
|
|
for (chunk = buf->head; chunk; chunk = chunk->next) {
|
|
char *cp = memchr(chunk->data, ch, chunk->datalen);
|
|
char *cp = memchr(chunk->data, ch, chunk->datalen);
|
|
if (cp)
|
|
if (cp)
|
|
@@ -2044,6 +2050,7 @@ assert_buf_ok(buf_t *buf)
|
|
for (ch = buf->head; ch; ch = ch->next) {
|
|
for (ch = buf->head; ch; ch = ch->next) {
|
|
total += ch->datalen;
|
|
total += ch->datalen;
|
|
tor_assert(ch->datalen <= ch->memlen);
|
|
tor_assert(ch->datalen <= ch->memlen);
|
|
|
|
+ tor_assert(ch->datalen < INT_MAX);
|
|
tor_assert(ch->data >= &ch->mem[0]);
|
|
tor_assert(ch->data >= &ch->mem[0]);
|
|
tor_assert(ch->data <= &ch->mem[0]+ch->memlen);
|
|
tor_assert(ch->data <= &ch->mem[0]+ch->memlen);
|
|
if (ch->data == &ch->mem[0]+ch->memlen) {
|
|
if (ch->data == &ch->mem[0]+ch->memlen) {
|