Fix a theoretical overflow in BIO_printf
Found by code inspection. If vsnprintf wanted to write INT_MAX
characters, allocating a INT_MAX + 1 scratch buffer will overflow. Since
we always have INT_MAX < SIZE_MAX, just casting to size_t earlier avoids
this.
(If the malloc implementation is unwilling to allocate INT_MAX + 1,
e.g. it is forbidden to on 32-bit, that's malloc's responsibility to
detect.)
Change-Id: I3c2a740ebc7ecd58464a9f63858ffcefe67f648f
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/74247
Auto-Submit: David Benjamin <davidben@google.com>
Commit-Queue: Adam Langley <agl@google.com>
Reviewed-by: Adam Langley <agl@google.com>
diff --git a/crypto/bio/printf.cc b/crypto/bio/printf.cc
index 37f4510..4ad3546 100644
--- a/crypto/bio/printf.cc
+++ b/crypto/bio/printf.cc
@@ -76,10 +76,9 @@
}
if ((size_t)out_len >= sizeof(buf)) {
- const int requested_len = out_len;
- // The output was truncated. Note that vsnprintf's return value
- // does not include a trailing NUL, but the buffer must be sized
- // for it.
+ const size_t requested_len = (size_t)out_len;
+ // The output was truncated. Note that vsnprintf's return value does not
+ // include a trailing NUL, but the buffer must be sized for it.
out = reinterpret_cast<char *>(OPENSSL_malloc(requested_len + 1));
out_malloced = 1;
if (out == NULL) {
@@ -88,7 +87,7 @@
va_start(args, format);
out_len = vsnprintf(out, requested_len + 1, format, args);
va_end(args);
- assert(out_len == requested_len);
+ assert(out_len == (int)requested_len);
} else {
out = buf;
}
