summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorduna.oh <duna.oh@samsung.com>2024-09-25 20:27:11 +0900
committerduna.oh <duna.oh@samsung.com>2024-09-27 11:29:20 +0900
commit00203d5022219895e2885c86ef773cbf58feb495 (patch)
treee52785ae2a5f8674ac469e45ca1d77fdf62ece95
parent63d9d57f04c1b16e370fa28b328fc33489819e07 (diff)
downloadlibxkbcommon-accepted/tizen_unified_toolchain.tar.gz
libxkbcommon-accepted/tizen_unified_toolchain.tar.bz2
libxkbcommon-accepted/tizen_unified_toolchain.zip
In commit b9b3593cbdeb7f5b02d50cecaba6a0b47d4979ad, darray is changed to use unsigned int instead of size_t to reduce memory usage. However, an integer overflow may occur due to arithmetic operation (addition) between values. To address this issue, this commit adds checks if this sums don't exceed their type's maximum value. Change-Id: Iaa689bb3beff0f991c8b9b6d8fc541f971d8c735
-rw-r--r--src/darray.h29
1 files changed, 19 insertions, 10 deletions
diff --git a/src/darray.h b/src/darray.h
index b75d85f..1fcce2b 100644
--- a/src/darray.h
+++ b/src/darray.h
@@ -97,8 +97,11 @@ typedef darray (unsigned long) darray_ulong;
#define darray_append_items(arr, items, count) do { \
unsigned __count = (count), __oldSize = (arr).size; \
- darray_resize(arr, __oldSize + __count); \
- memcpy((arr).item + __oldSize, items, __count * sizeof(*(arr).item)); \
+ size_t __total_size = __oldSize + __count; \
+ if (__total_size <= UINT32_MAX) { \
+ darray_resize(arr, __oldSize + __count); \
+ memcpy((arr).item + __oldSize, items, __count * sizeof(*(arr).item)); \
+ } \
} while (0)
#define darray_from_items(arr, items, count) do { \
@@ -134,18 +137,24 @@ typedef darray (unsigned long) darray_ulong;
#define darray_appends_nullterminate(arr, items, count) do { \
unsigned __count = (count), __oldSize = (arr).size; \
- darray_resize(arr, __oldSize + __count + 1); \
- memcpy((arr).item + __oldSize, items, __count * sizeof(*(arr).item)); \
- (arr).item[--(arr).size] = 0; \
+ size_t __total_size = __oldSize + __count + 1; \
+ if (__total_size <= UINT32_MAX) { \
+ darray_resize(arr, __oldSize + __count + 1); \
+ memcpy((arr).item + __oldSize, items, __count * sizeof(*(arr).item)); \
+ (arr).item[--(arr).size] = 0; \
+ } \
} while (0)
#define darray_prepends_nullterminate(arr, items, count) do { \
unsigned __count = (count), __oldSize = (arr).size; \
- darray_resize(arr, __count + __oldSize + 1); \
- memmove((arr).item + __count, (arr).item, \
- __oldSize * sizeof(*(arr).item)); \
- memcpy((arr).item, items, __count * sizeof(*(arr).item)); \
- (arr).item[--(arr).size] = 0; \
+ size_t __total_size = __count + __oldSize + 1; \
+ if (__total_size <= UINT32_MAX) { \
+ darray_resize(arr, __count + __oldSize + 1); \
+ memmove((arr).item + __count, (arr).item, \
+ __oldSize * sizeof(*(arr).item)); \
+ memcpy((arr).item, items, __count * sizeof(*(arr).item)); \
+ (arr).item[--(arr).size] = 0; \
+ } \
} while (0)
/*** Size management ***/