bug-wget
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[PATCH] wget: avoid triggering signed integer overflow


From: liaichun
Subject: [PATCH] wget: avoid triggering signed integer overflow
Date: Fri, 28 Aug 2020 02:43:45 +0000

Subject: [PATCH] avoid triggering signed integer overflow

I found the following problems when I was doing the fuzzy test of wget.
The value of timeout is of the int type, and the value is not checked during
multiplication.
When the value of timeout is too large, multiplication overflow occurs when
multiplying the value by 10.

Signed-off-by: Chengliang Zhu <zhuchengliang4@huawei.com>
Signed-off-by: Aichun Li <liaichun@huawei.com<mailto:liaichun@huawei.com>>

---
src/html-url.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/src/html-url.c b/src/html-url.c
index 2f95357..409f2a0 100644
--- a/src/html-url.c
+++ b/src/html-url.c
@@ -596,7 +596,11 @@ tag_handle_meta (int tagid _GL_UNUSED, struct taginfo 
*tag, struct map_context *
         return;
       for (p = refresh; c_isdigit (*p); p++)
-        timeout = 10 * timeout + *p - '0';
+        {
+          if (timeout > INT_MAX >> 4 || *p - '0' > INT_MAX - 10 * timeout)
+            return;
+          timeout = 10 * timeout + *p - '0';
+        }
       if (*p++ != ';')
         return;


reply via email to

[Prev in Thread] Current Thread [Next in Thread]