vis(3): Avoid arithmetic overflow before calloc(3).

Prompted by PR lib/57573. XXX pullup-10 XXX pullup-9 XXX pullup-8
2023-08-12 12:47:17 +00:00 · 2023-08-12 12:47:17 +00:00 · 4476814b92
parent 0da31b0324
commit 4476814b92
1 changed files with 10 additions and 2 deletions
--- a/lib/libc/gen/vis.c
+++ b/lib/libc/gen/vis.c
@ -1,4 +1,4 @@
-/*	$NetBSD: vis.c,v 1.78 2023/08/12 12:46:50 riastradh Exp $	*/
+/*	$NetBSD: vis.c,v 1.79 2023/08/12 12:47:17 riastradh Exp $	*/

 /*-
 * Copyright (c) 1989, 1993
@ -57,7 +57,7 @@

 #include <sys/cdefs.h>
 #if defined(LIBC_SCCS) && !defined(lint)
-__RCSID("$NetBSD: vis.c,v 1.78 2023/08/12 12:46:50 riastradh Exp $");
+__RCSID("$NetBSD: vis.c,v 1.79 2023/08/12 12:47:17 riastradh Exp $");
 #endif /* LIBC_SCCS and not lint */
 #ifdef __FBSDID
 __FBSDID("$FreeBSD$");
@ -432,6 +432,14 @@ istrsenvisx(char **mbdstp, size_t *dlen, const char *mbsrc, size_t mblength,
 	 * return to the caller.
 	 */

+	/*
+	 * Guarantee the arithmetic on input to calloc won't overflow.
+	 */
+	if (mbslength > (SIZE_MAX - 1)/16) {
+		errno = ENOMEM;
+		return -1;
+	}
+
 	/* Allocate space for the wide char strings */
 	psrc = pdst = extra = NULL;
 	mdst = NULL;