Overflow in out_limit calculation

bug-ncurses

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Overflow in out_limit calculation

From:	Miroslav Lichvar
Subject:	Overflow in out_limit calculation
Date:	Mon, 6 May 2024 15:07:24 +0200

A static analyzer reports a possible integer overflow in
_nc_setupscreen(): 

        sp->out_limit = (size_t) ((2 + slines) * (6 + scolumns));

slines and scolumns are ints, possibly parsed from the well-known
environment variables, before they are validated in newwin()->...->
dimension_limit(), which might accept any value if NCURSES_SIZE_T is
int.

This doesn't seem to have any security implications, but maybe it
could be improved to prevent the overflow by casting the variables to
size_t or validating the dimensions before that. Does anyone need
COLUMNS or LINES larger than 32767?

-- 
Miroslav Lichvar

[Prev in Thread]

Current Thread

[Next in Thread]

Overflow in out_limit calculation, Miroslav Lichvar <=
- Re: Overflow in out_limit calculation, Thomas Dickey, 2024/05/06
  - Re: Overflow in out_limit calculation, Miroslav Lichvar, 2024/05/07
    - Re: Overflow in out_limit calculation, Thomas Dickey, 2024/05/07
    - Re: Overflow in out_limit calculation, Thomas Dickey, 2024/05/07

Prev by Date: Ada build problem with 6.5.20240504
Next by Date: bkgd() with character part set to 0
Previous by thread: Ada build problem with 6.5.20240504
Next by thread: Re: Overflow in out_limit calculation
Index(es):
- Date
- Thread