_FORTIFY_SOURCE: check for integer overflows Ensure that strcat / strncat check for integer overflows when computing the length of the resulting string. Change-Id: Ib806ad33a0d3b50876f384bc17787a28f0dddc37

commit: 76656afc6dd069fcfda5768e6e54bb85e4e99942 [log] [tgz]
author: Nick Kralevich <nnk@google.com> Thu Jun 07 16:30:02 2012 -0700
committer: Geremy Condra <gcondra@google.com> Fri Jun 08 20:18:19 2012 -0700
tree: 8fc474895f6bffba90a06989e9a168fbaaaff99a
parent: f41855949d5f19e0fc1f8873278ae21c52dd5676 [diff] [blame]
diff --git a/libc/string/__strncat_chk.c b/libc/string/__strncat_chk.c
index 9b0b84a..0387626 100644
--- a/libc/string/__strncat_chk.c
+++ b/libc/string/__strncat_chk.c

@@ -29,6 +29,7 @@
 #include <string.h>
 #include <stdlib.h>
 #include <private/logd.h>
+#include <safe_iop.h>
 
 /*
  * Runtime implementation of __builtin____strncat_chk.
@@ -51,7 +52,11 @@
         src_len = len;
     }
 
-    if (dest_len + src_len + 1 > dest_buf_size) {
+    size_t sum;
+    // sum = src_len + dest_len + 1 (with overflow protection)
+    if (!safe_add3(&sum, src_len, dest_len, 1U)) abort();
+
+    if (sum > dest_buf_size) {
         __libc_android_log_print(ANDROID_LOG_FATAL, "libc",
             "*** strncat buffer overflow detected ***\n");
         abort();
commit	76656afc6dd069fcfda5768e6e54bb85e4e99942	[log] [tgz]
author	Nick Kralevich <nnk@google.com>	Thu Jun 07 16:30:02 2012 -0700
committer	Geremy Condra <gcondra@google.com>	Fri Jun 08 20:18:19 2012 -0700
tree	8fc474895f6bffba90a06989e9a168fbaaaff99a
parent	f41855949d5f19e0fc1f8873278ae21c52dd5676 [diff] [blame]