aboutsummaryrefslogtreecommitdiffstats
path: root/lib/erl_interface
diff options
context:
space:
mode:
authorMichael Santos <[email protected]>2011-06-06 10:55:19 -0400
committerRaimo Niskanen <[email protected]>2011-06-07 17:50:33 +0200
commit9cf9cde066d26569178f5f67600278ae67e102dd (patch)
tree93c9842f47b23576f53ef6141c766c0d4ecd84c2 /lib/erl_interface
parent612de104d23a01d5753ca39f4db4e14ba0234897 (diff)
downloadotp-9cf9cde066d26569178f5f67600278ae67e102dd.tar.gz
otp-9cf9cde066d26569178f5f67600278ae67e102dd.tar.bz2
otp-9cf9cde066d26569178f5f67600278ae67e102dd.zip
ei: integer overflow in string/atom encoding
ei_encode_atom() and ei_encode_string() use strlen() to get the length of the buffer. As strlen() returns an unsigned long long and both ei functions take a signed integer, the length fields may overflow. Check the results of strlen can be held in a signed integer.
Diffstat (limited to 'lib/erl_interface')
-rw-r--r--lib/erl_interface/src/encode/encode_atom.c6
-rw-r--r--lib/erl_interface/src/encode/encode_string.c6
2 files changed, 10 insertions, 2 deletions
diff --git a/lib/erl_interface/src/encode/encode_atom.c b/lib/erl_interface/src/encode/encode_atom.c
index 69f2d1451c..b1a4479034 100644
--- a/lib/erl_interface/src/encode/encode_atom.c
+++ b/lib/erl_interface/src/encode/encode_atom.c
@@ -17,13 +17,17 @@
* %CopyrightEnd%
*/
#include <string.h>
+#include <limits.h>
#include "eidef.h"
#include "eiext.h"
#include "putget.h"
int ei_encode_atom(char *buf, int *index, const char *p)
{
- return ei_encode_atom_len(buf, index, p, strlen(p));
+ size_t len = strlen(p);
+
+ if (len >= INT_MAX) return -1;
+ return ei_encode_atom_len(buf, index, p, len);
}
int ei_encode_atom_len(char *buf, int *index, const char *p, int len)
diff --git a/lib/erl_interface/src/encode/encode_string.c b/lib/erl_interface/src/encode/encode_string.c
index 1d342cb605..593bbf2b6d 100644
--- a/lib/erl_interface/src/encode/encode_string.c
+++ b/lib/erl_interface/src/encode/encode_string.c
@@ -17,6 +17,7 @@
* %CopyrightEnd%
*/
#include <string.h>
+#include <limits.h>
#include "eidef.h"
#include "eiext.h"
#include "putget.h"
@@ -24,7 +25,10 @@
int ei_encode_string(char *buf, int *index, const char *p)
{
- return ei_encode_string_len(buf, index, p, strlen(p));
+ size_t len = strlen(p);
+
+ if (len >= INT_MAX) return -1;
+ return ei_encode_string_len(buf, index, p, len);
}
int ei_encode_string_len(char *buf, int *index, const char *p, int len)