From 76656afc6dd069fcfda5768e6e54bb85e4e99942 Mon Sep 17 00:00:00 2001 From: Nick Kralevich Date: Thu, 7 Jun 2012 16:30:02 -0700 Subject: _FORTIFY_SOURCE: check for integer overflows Ensure that strcat / strncat check for integer overflows when computing the length of the resulting string. Change-Id: Ib806ad33a0d3b50876f384bc17787a28f0dddc37 --- libc/string/__strcat_chk.c | 7 ++++++- libc/string/__strncat_chk.c | 7 ++++++- 2 files changed, 12 insertions(+), 2 deletions(-) (limited to 'libc/string') diff --git a/libc/string/__strcat_chk.c b/libc/string/__strcat_chk.c index 3e02052..7d8c89f 100644 --- a/libc/string/__strcat_chk.c +++ b/libc/string/__strcat_chk.c @@ -29,6 +29,7 @@ #include #include #include +#include /* * Runtime implementation of __builtin____strcat_chk. @@ -46,8 +47,12 @@ char *__strcat_chk (char *dest, const char *src, size_t dest_buf_size) // TODO: optimize so we don't scan src/dest twice. size_t src_len = strlen(src); size_t dest_len = strlen(dest); + size_t sum; - if (src_len + dest_len + 1 > dest_buf_size) { + // sum = src_len + dest_len + 1 (with overflow protection) + if (!safe_add3(&sum, src_len, dest_len, 1U)) abort(); + + if (sum > dest_buf_size) { __libc_android_log_print(ANDROID_LOG_FATAL, "libc", "*** strcat buffer overflow detected ***\n"); abort(); diff --git a/libc/string/__strncat_chk.c b/libc/string/__strncat_chk.c index 9b0b84a..0387626 100644 --- a/libc/string/__strncat_chk.c +++ b/libc/string/__strncat_chk.c @@ -29,6 +29,7 @@ #include #include #include +#include /* * Runtime implementation of __builtin____strncat_chk. @@ -51,7 +52,11 @@ char *__strncat_chk (char *dest, const char *src, src_len = len; } - if (dest_len + src_len + 1 > dest_buf_size) { + size_t sum; + // sum = src_len + dest_len + 1 (with overflow protection) + if (!safe_add3(&sum, src_len, dest_len, 1U)) abort(); + + if (sum > dest_buf_size) { __libc_android_log_print(ANDROID_LOG_FATAL, "libc", "*** strncat buffer overflow detected ***\n"); abort(); -- cgit v1.1