twin icon indicating copy to clipboard operation
twin copied to clipboard
verified publisher icon cosmos72

Integer overflow when calculating AllocMem() size

Open szsam opened this issue 2 years ago • 1 comments

https://github.com/cosmos72/twin/blob/b6e4e4bbae457447792a6d7b899e966c2b6571be/server/resize.cpp#L127-L129 This allocation size is derived from user input and the multiplication might overflow. Consider adding upper bounds for x and y, e.g.

 if (x > 0 && y > 0 && x < 1000 && y < 1000) { 
   if (!(saveNewCont = NewCont = (tcell *)AllocMem(x * y * sizeof(tcell)))) 
     return false;

szsam avatar May 25 '23 18:05 szsam

Thanks for spotting this! Yes, that code shoud check for overflows before the multiplication.

cosmos72 avatar Jul 29 '23 08:07 cosmos72