gre-ilya/libuv
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

win: add overflow checks in make_program_env()

Browse Source 
The env_len accumulator in make_program_env() has no overflow protection.
On 32-bit systems, a large environment block can cause env_len *
sizeof(WCHAR) to wrap size_t, resulting in undersized allocations
followed by heap buffer overflows during the copy passes.

Add overflow checks before both allocation sites (second pass and final
pass) to reject environment blocks that would cause arithmetic overflow.
This commit is contained in:
Ali Raza 2026-03-07 03:08:57 +05:00
parent ac46074797
commit 64fbbe3888
1 changed files with 6 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
src/win/process.c
View File

@ -675,6 +675,8 @@ int make_program_env(char* env_block[], WCHAR** dst_ptr) {
/* second pass: copy to UTF-16 environment block */
len = env_block_count * sizeof(WCHAR*);
if (env_len > (SIZE_MAX - len) / sizeof(WCHAR))
return UV_EINVAL;
p = uv__malloc(len + env_len * sizeof(WCHAR));
if (p == NULL) {
return UV_ENOMEM;
@ -728,6 +730,10 @@ int make_program_env(char* env_block[], WCHAR** dst_ptr) {
}
/* final pass: copy, in sort order, and inserting required variables */
if (env_len > SIZE_MAX / sizeof(WCHAR) - 1) {
uv__free(p);
return UV_EINVAL;
}
dst = uv__malloc((1+env_len) * sizeof(WCHAR));
if (!dst) {
uv__free(p);