Home Explore Help
Sign In
sengler
/
tor-parallel-relay-conn
1
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Browse Source

Merge remote-tracking branch 'tor-github/pr/1178' into maint-0.2.9

teor 4 years ago
parent
511aeba8ee 97d73db7c3
commit
7660a7cf7d
2 changed files with 10 additions and 4 deletions
Split View Show Diff Stats
  1. 6 0
      changes/ticket31001
  2. 4 4
      src/common/compat.c

+ 6 - 0
changes/ticket31001
View File 

@@ -0,0 +1,6 @@
 
+  o Minor bugfixes (compatibility, standards compliance):
 
+    - Fix a bug that would invoke undefined behavior on certain operating
 
+      systems when trying to asprintf() a string exactly INT_MAX bytes
 
+      long. We don't believe this is exploitable, but it's better
 
+      to fix it anyway. Fixes bug 31001; bugfix on 0.2.2.11-alpha.
 
+      Found and fixed by Tobias Stoeckmann.

+ 4 - 4
src/common/compat.c
View File 

@@ -542,8 +542,8 @@ tor_vasprintf(char **strp, const char *fmt, va_list args)
 
     *strp = NULL;
 
     return -1;
 
   }
 
-  strp_tmp = tor_malloc(len + 1);
 
-  r = _vsnprintf(strp_tmp, len+1, fmt, args);
 
+  strp_tmp = tor_malloc((size_t)len + 1);
 
+  r = _vsnprintf(strp_tmp, (size_t)len+1, fmt, args);
 
   if (r != len) {
 
     tor_free(strp_tmp);
 
     *strp = NULL;
 
@@ -578,9 +578,9 @@ tor_vasprintf(char **strp, const char *fmt, va_list args)
 
     *strp = tor_strdup(buf);
 
     return len;
 
   }
 
-  strp_tmp = tor_malloc(len+1);
 
+  strp_tmp = tor_malloc((size_t)len+1);
 
   /* use of tor_vsnprintf() will ensure string is null terminated */
 
-  r = tor_vsnprintf(strp_tmp, len+1, fmt, args);
 
+  r = tor_vsnprintf(strp_tmp, (size_t)len+1, fmt, args);
 
   if (r != len) {
 
     tor_free(strp_tmp);
 
     *strp = NULL;