Avoid integer overflows with very long strings

2013-10-15 08:44:04 +03:00 · 2013-10-15 08:44:04 +03:00 · d544852ff6
commit d544852ff6
parent 8dc3233f3b
2 changed files with 8 additions and 1 deletions
--- a/src/hashtable.c
+++ b/src/hashtable.c
@ -249,6 +249,13 @@ int hashtable_set(hashtable_t *hashtable,
        /* offsetof(...) returns the size of pair_t without the last,
           flexible member. This way, the correct amount is
           allocated. */
+
+        size_t len = strlen(key);
+        if(len > (size_t)-1 - offsetof(pair_t, key)) {
+            /* Avoid an overflow if the key is very long */
+            return -1;
+        }
+
        pair = jsonp_malloc(offsetof(pair_t, key) + strlen(key) + 1);
        if(!pair)
            return -1;
--- a/src/utf.c
+++ b/src/utf.c
@ -173,7 +173,7 @@ int utf8_check_string(const char *string, size_t length)
            return 0;
        else if(count > 1)
        {
-            if(i + count > length)
+            if(count > length - i)
                return 0;

            if(!utf8_check_full(&string[i], count, NULL))