_FORTIFY_SOURCE: check for integer overflows Ensure that strcat / strncat check for integer overflows when computing the length of the resulting string. Change-Id: Ib806ad33a0d3b50876f384bc17787a28f0dddc37

commit: 76656afc6dd069fcfda5768e6e54bb85e4e99942 [log] [tgz]
author: Nick Kralevich <nnk@google.com> Thu Jun 07 16:30:02 2012 -0700
committer: Geremy Condra <gcondra@google.com> Fri Jun 08 20:18:19 2012 -0700
tree: 8fc474895f6bffba90a06989e9a168fbaaaff99a
parent: f41855949d5f19e0fc1f8873278ae21c52dd5676 [diff] [blame]
diff --git a/libc/string/__strcat_chk.c b/libc/string/__strcat_chk.c
index 3e02052..7d8c89f 100644
--- a/libc/string/__strcat_chk.c
+++ b/libc/string/__strcat_chk.c

@@ -29,6 +29,7 @@
 #include <string.h>
 #include <stdlib.h>
 #include <private/logd.h>
+#include <safe_iop.h>
 
 /*
  * Runtime implementation of __builtin____strcat_chk.
@@ -46,8 +47,12 @@
     // TODO: optimize so we don't scan src/dest twice.
     size_t src_len  = strlen(src);
     size_t dest_len = strlen(dest);
+    size_t sum;
 
-    if (src_len + dest_len + 1 > dest_buf_size) {
+    // sum = src_len + dest_len + 1 (with overflow protection)
+    if (!safe_add3(&sum, src_len, dest_len, 1U)) abort();
+
+    if (sum > dest_buf_size) {
         __libc_android_log_print(ANDROID_LOG_FATAL, "libc",
             "*** strcat buffer overflow detected ***\n");
         abort();
commit	76656afc6dd069fcfda5768e6e54bb85e4e99942	[log] [tgz]
author	Nick Kralevich <nnk@google.com>	Thu Jun 07 16:30:02 2012 -0700
committer	Geremy Condra <gcondra@google.com>	Fri Jun 08 20:18:19 2012 -0700
tree	8fc474895f6bffba90a06989e9a168fbaaaff99a
parent	f41855949d5f19e0fc1f8873278ae21c52dd5676 [diff] [blame]