[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[PATCH] wget: avoid triggering signed integer overflow
|
From: |
liaichun |
|
Subject: |
[PATCH] wget: avoid triggering signed integer overflow |
|
Date: |
Fri, 28 Aug 2020 02:43:45 +0000 |
Subject: [PATCH] avoid triggering signed integer overflow
I found the following problems when I was doing the fuzzy test of wget.
The value of timeout is of the int type, and the value is not checked during
multiplication.
When the value of timeout is too large, multiplication overflow occurs when
multiplying the value by 10.
Signed-off-by: Chengliang Zhu <zhuchengliang4@huawei.com>
Signed-off-by: Aichun Li <liaichun@huawei.com<mailto:liaichun@huawei.com>>
---
src/html-url.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/src/html-url.c b/src/html-url.c
index 2f95357..409f2a0 100644
--- a/src/html-url.c
+++ b/src/html-url.c
@@ -596,7 +596,11 @@ tag_handle_meta (int tagid _GL_UNUSED, struct taginfo
*tag, struct map_context *
return;
for (p = refresh; c_isdigit (*p); p++)
- timeout = 10 * timeout + *p - '0';
+ {
+ if (timeout > INT_MAX >> 4 || *p - '0' > INT_MAX - 10 * timeout)
+ return;
+ timeout = 10 * timeout + *p - '0';
+ }
if (*p++ != ';')
return;
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- [PATCH] wget: avoid triggering signed integer overflow,
liaichun <=