首页 发现 帮助
登录
cpp
/
squirrel
镜像自地址 https://github.com/albertodemichelis/squirrel.git
2
0
派生 0
文件 工单管理 0 Wiki
浏览代码

fixed security vulnerability in scratchpad for 32bit builds

Alberto Demichelis 1 年之前
父节点
95569768ed
当前提交
f6720d71e3
共有 2 个文件被更改,包括 10 次插入6 次删除
分列视图 显示文件统计
  1. 9 6
      squirrel/sqstate.cpp
  2. 1 0
      squirrel/squtils.h

+ 9 - 6
squirrel/sqstate.cpp
查看文件 

@@ -374,15 +374,18 @@ void SQCollectable::RemoveFromChain(SQCollectable **chain,SQCollectable *c)
 
 SQChar* SQSharedState::GetScratchPad(SQInteger size)
 
 {
 
     SQInteger newsize;
 
-    if(size>0) {
 
-        if(_scratchpadsize < size) {
 
-            newsize = size + (size>>1);
 
-            _scratchpad = (SQChar *)SQ_REALLOC(_scratchpad,_scratchpadsize,newsize);
 
+    if (size > 0) {
 
+        if (_scratchpadsize < size) {
 
+            newsize = size + (size >> 1);
 
+            newsize = sq_max(newsize, size); //check for overflow
 
+            _scratchpad = (SQChar*)SQ_REALLOC(_scratchpad, _scratchpadsize, newsize);
 
             _scratchpadsize = newsize;
 
 
-        }else if(_scratchpadsize >= (size<<5)) {
 
+        }
 
+        else if (_scratchpadsize >= (size << 5)) {
 
             newsize = _scratchpadsize >> 1;
 
-            _scratchpad = (SQChar *)SQ_REALLOC(_scratchpad,_scratchpadsize,newsize);
 
+            newsize = sq_max(newsize, size); //check for overflow
 
+            _scratchpad = (SQChar*)SQ_REALLOC(_scratchpad, _scratchpadsize, newsize);
 
             _scratchpadsize = newsize;
 
         }
 
     }

+ 1 - 0
squirrel/squtils.h
查看文件 

@@ -13,6 +13,7 @@ void sq_vm_free(void *p,SQUnsignedInteger size);
 
 #define SQ_REALLOC(__ptr,__oldsize,__size) sq_vm_realloc((__ptr),(__oldsize),(__size));
 
 
 #define sq_aligning(v) (((size_t)(v) + (SQ_ALIGNMENT-1)) & (~(SQ_ALIGNMENT-1)))
 
+#define sq_max(a, b) ((a) > (b) ? (a) : (b))
 
 
 //sqvector mini vector class, supports objects by value
 
 template<typename T> class sqvector