diff options
author | Michael Santos <michael.santos@gmail.com> | 2011-06-06 10:55:19 -0400 |
---|---|---|
committer | Raimo Niskanen <raimo@erlang.org> | 2011-06-07 17:50:33 +0200 |
commit | 9cf9cde066d26569178f5f67600278ae67e102dd (patch) | |
tree | 93c9842f47b23576f53ef6141c766c0d4ecd84c2 /lib/erl_interface/src/encode | |
parent | 612de104d23a01d5753ca39f4db4e14ba0234897 (diff) | |
download | otp-9cf9cde066d26569178f5f67600278ae67e102dd.tar.gz otp-9cf9cde066d26569178f5f67600278ae67e102dd.tar.bz2 otp-9cf9cde066d26569178f5f67600278ae67e102dd.zip |
ei: integer overflow in string/atom encoding
ei_encode_atom() and ei_encode_string() use strlen() to get the length
of the buffer. As strlen() returns an unsigned long long and both ei
functions take a signed integer, the length fields may overflow.
Check the results of strlen can be held in a signed integer.
Diffstat (limited to 'lib/erl_interface/src/encode')
-rw-r--r-- | lib/erl_interface/src/encode/encode_atom.c | 6 | ||||
-rw-r--r-- | lib/erl_interface/src/encode/encode_string.c | 6 |
2 files changed, 10 insertions, 2 deletions
diff --git a/lib/erl_interface/src/encode/encode_atom.c b/lib/erl_interface/src/encode/encode_atom.c index 69f2d1451c..b1a4479034 100644 --- a/lib/erl_interface/src/encode/encode_atom.c +++ b/lib/erl_interface/src/encode/encode_atom.c @@ -17,13 +17,17 @@ * %CopyrightEnd% */ #include <string.h> +#include <limits.h> #include "eidef.h" #include "eiext.h" #include "putget.h" int ei_encode_atom(char *buf, int *index, const char *p) { - return ei_encode_atom_len(buf, index, p, strlen(p)); + size_t len = strlen(p); + + if (len >= INT_MAX) return -1; + return ei_encode_atom_len(buf, index, p, len); } int ei_encode_atom_len(char *buf, int *index, const char *p, int len) diff --git a/lib/erl_interface/src/encode/encode_string.c b/lib/erl_interface/src/encode/encode_string.c index 1d342cb605..593bbf2b6d 100644 --- a/lib/erl_interface/src/encode/encode_string.c +++ b/lib/erl_interface/src/encode/encode_string.c @@ -17,6 +17,7 @@ * %CopyrightEnd% */ #include <string.h> +#include <limits.h> #include "eidef.h" #include "eiext.h" #include "putget.h" @@ -24,7 +25,10 @@ int ei_encode_string(char *buf, int *index, const char *p) { - return ei_encode_string_len(buf, index, p, strlen(p)); + size_t len = strlen(p); + + if (len >= INT_MAX) return -1; + return ei_encode_string_len(buf, index, p, len); } int ei_encode_string_len(char *buf, int *index, const char *p, int len) |