gre-ilya/libuv
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

win: add overflow check in search_path_join_test()

Browse Source 
The allocation size for the joined path is computed as a sum of multiple
lengths multiplied by sizeof(WCHAR). On 32-bit systems, if path
components are long enough, the sum or the multiplication can wrap
size_t, producing a tiny allocation. The subsequent wcsncpy calls then
write past the buffer end.

Add overflow checks for both the addition and the multiplication before
allocating.
This commit is contained in:
Ali Raza 2026-03-07 03:09:38 +05:00
parent 36364c3d74
commit 2ad3e071c3
1 changed files with 9 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
src/win/process.c
View File

@ -186,8 +186,15 @@ static WCHAR* search_path_join_test(const WCHAR* dir,
}
/* Allocate buffer for output */
result = result_pos = (WCHAR*)uv__malloc(sizeof(WCHAR) *
(cwd_len + 1 + dir_len + 1 + name_len + 1 + ext_len + 1));
{
size_t alloc_len = cwd_len + 1 + dir_len + 1 + name_len + 1 + ext_len + 1;
if (alloc_len > SIZE_MAX / sizeof(WCHAR) ||
alloc_len < cwd_len /* overflow in the addition */) {
SetLastError(ERROR_OUTOFMEMORY);
return NULL;
}
result = result_pos = (WCHAR*)uv__malloc(sizeof(WCHAR) * alloc_len);
}
/* Copy cwd */
wcsncpy(result_pos, cwd, cwd_len);