ClearML/dropbear
1
0
Fork 0
mirror of https://github.com/clearml/dropbear synced 2025-06-26 10:06:32 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

additional length checks

Browse Source
This commit is contained in:
Matt Johnston 2016-07-11 23:34:18 +08:00
parent 8fd720c3e3
commit c0f63ee100
1 changed files with 6 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
buffer.c
View File

@ -141,8 +141,9 @@ void buf_incrwritepos(buffer* buf, unsigned int incr) {
/* increment the position by incr, negative values are allowed, to /* increment the position by incr, negative values are allowed, to
* decrement the pos*/ * decrement the pos*/
void buf_incrpos(buffer* buf, int incr) { void buf_incrpos(buffer* buf, int incr) {
if (incr > BUF_MAX_INCR || if (incr > BUF_MAX_INCR
(unsigned int)((int)buf->pos + incr) > buf->len || incr < -BUF_MAX_INCR
|| (unsigned int)((int)buf->pos + incr) > buf->len
|| ((int)buf->pos + incr) < 0) { || ((int)buf->pos + incr) < 0) {
dropbear_exit("Bad buf_incrpos"); dropbear_exit("Bad buf_incrpos");
} }
@ -184,7 +185,7 @@ void buf_putbyte(buffer* buf, unsigned char val) {
* the next len bytes from that position can be used */ * the next len bytes from that position can be used */
unsigned char* buf_getptr(buffer* buf, unsigned int len) { unsigned char* buf_getptr(buffer* buf, unsigned int len) {
if (buf->pos + len > buf->len) { if (len > BUF_MAX_INCR || buf->pos + len > buf->len) {
dropbear_exit("Bad buf_getptr"); dropbear_exit("Bad buf_getptr");
} }
return &buf->data[buf->pos]; return &buf->data[buf->pos];
@ -194,7 +195,7 @@ unsigned char* buf_getptr(buffer* buf, unsigned int len) {
* This allows writing past the used length, but not past the size */ * This allows writing past the used length, but not past the size */
unsigned char* buf_getwriteptr(buffer* buf, unsigned int len) { unsigned char* buf_getwriteptr(buffer* buf, unsigned int len) {
if (buf->pos + len > buf->size) { if (len > BUF_MAX_INCR || buf->pos + len > buf->size) {
dropbear_exit("Bad buf_getwriteptr"); dropbear_exit("Bad buf_getwriteptr");
} }
return &buf->data[buf->pos]; return &buf->data[buf->pos];