_FORTIFY_SOURCE: check for integer overflows

Ensure that strcat / strncat check for integer overflows
when computing the length of the resulting string.

Change-Id: Ib806ad33a0d3b50876f384bc17787a28f0dddc37

2 files changed, 12 insertions, 2 deletions

diff --git a/libc/string/__strcat_chk.c b/libc/string/__strcat_chk.c
index 3e02052..7d8c89f 100644
--- a/libc/string/__strcat_chk.c
+++ b/libc/string/__strcat_chk.c
@@ -29,6 +29,7 @@
 #include <string.h>
 #include <stdlib.h>
 #include <private/logd.h>
+#include <safe_iop.h>
 
 /*
  * Runtime implementation of __builtin____strcat_chk.
@@ -46,8 +47,12 @@ char *__strcat_chk (char *dest, const char *src, size_t dest_buf_size)
     // TODO: optimize so we don't scan src/dest twice.
     size_t src_len  = strlen(src);
     size_t dest_len = strlen(dest);
+    size_t sum;
 
-    if (src_len + dest_len + 1 > dest_buf_size) {
+    // sum = src_len + dest_len + 1 (with overflow protection)
+    if (!safe_add3(&sum, src_len, dest_len, 1U)) abort();
+
+    if (sum > dest_buf_size) {
         __libc_android_log_print(ANDROID_LOG_FATAL, "libc",
             "*** strcat buffer overflow detected ***\n");
         abort();
diff --git a/libc/string/__strncat_chk.c b/libc/string/__strncat_chk.c
index 9b0b84a..0387626 100644
--- a/libc/string/__strncat_chk.c
+++ b/libc/string/__strncat_chk.c
@@ -29,6 +29,7 @@
 #include <string.h>
 #include <stdlib.h>
 #include <private/logd.h>
+#include <safe_iop.h>
 
 /*
  * Runtime implementation of __builtin____strncat_chk.
@@ -51,7 +52,11 @@ char *__strncat_chk (char *dest, const char *src,
         src_len = len;
     }
 
-    if (dest_len + src_len + 1 > dest_buf_size) {
+    size_t sum;
+    // sum = src_len + dest_len + 1 (with overflow protection)
+    if (!safe_add3(&sum, src_len, dest_len, 1U)) abort();
+
+    if (sum > dest_buf_size) {
         __libc_android_log_print(ANDROID_LOG_FATAL, "libc",
             "*** strncat buffer overflow detected ***\n");
         abort();