diff options
| author | Vladislav Shchapov <vladislav@shchapov.ru> | 2026-01-17 18:46:50 +0500 |
|---|---|---|
| committer | Hans Kristian Rosbach <hk-github@circlestorm.org> | 2026-01-21 18:00:36 +0100 |
| commit | 51ec71d98523794b61381bae4cb53a0f09d06437 (patch) | |
| tree | 15dc4675139c34f5cdcc40b4f15b7325459d7474 /test | |
| parent | bb5f5ef1a4ca0ee616a62b5a1f619f83217fb9de (diff) | |
| download | Project-Tick-51ec71d98523794b61381bae4cb53a0f09d06437.tar.gz Project-Tick-51ec71d98523794b61381bae4cb53a0f09d06437.zip | |
Fix integer overflow in gz_compress_mmap
Signed-off-by: Vladislav Shchapov <vladislav@shchapov.ru>
Diffstat (limited to 'test')
| -rw-r--r-- | test/fuzz/fuzzer_minigzip.c | 19 | ||||
| -rw-r--r-- | test/minigzip.c | 19 |
2 files changed, 20 insertions, 18 deletions
diff --git a/test/fuzz/fuzzer_minigzip.c b/test/fuzz/fuzzer_minigzip.c index 6e38881962..3f58f4a299 100644 --- a/test/fuzz/fuzzer_minigzip.c +++ b/test/fuzz/fuzzer_minigzip.c @@ -70,26 +70,27 @@ static void error(const char *msg) { * success, Z_ERRNO otherwise. */ static int gz_compress_mmap(FILE *in, gzFile out) { - int len; int err; int ifd = fileno(in); - char *buf; /* mmap'ed buffer for the entire input file */ - off_t buf_len; /* length of the input file */ + void *buf; /* mmap'ed buffer for the entire input file */ + size_t buf_len; /* length of the input file */ + size_t len; struct stat sb; /* Determine the size of the file, needed for mmap: */ if (fstat(ifd, &sb) < 0) return Z_ERRNO; - buf_len = sb.st_size; - if (buf_len <= 0) return Z_ERRNO; + /* Check size_t overflow */ + if (sb.st_size <= 0 || sb.st_size > PTRDIFF_MAX) return Z_ERRNO; + buf_len = (size_t)sb.st_size; /* Now do the actual mmap: */ - buf = mmap((void *)0, buf_len, PROT_READ, MAP_SHARED, ifd, (off_t)0); - if (buf == (char *)(-1)) return Z_ERRNO; + buf = mmap(NULL, buf_len, PROT_READ, MAP_SHARED, ifd, (off_t)0); + if (buf == MAP_FAILED) return Z_ERRNO; /* Compress the whole file at once: */ - len = PREFIX(gzwrite)(out, (char *)buf, (unsigned)buf_len); + len = PREFIX(gzfwrite)(buf, 1, buf_len, out); - if (len != (int)buf_len) error(PREFIX(gzerror)(out, &err)); + if (len != buf_len) error(PREFIX(gzerror)(out, &err)); munmap(buf, buf_len); fclose(in); diff --git a/test/minigzip.c b/test/minigzip.c index 446b12e652..9f86018a6b 100644 --- a/test/minigzip.c +++ b/test/minigzip.c @@ -85,25 +85,26 @@ static void gz_fatal(gzFile file) { * success, Z_ERRNO otherwise. */ static int gz_compress_mmap(FILE *in, gzFile out) { - int len; int ifd = fileno(in); - char *buf; /* mmap'ed buffer for the entire input file */ - off_t buf_len; /* length of the input file */ + void *buf; /* mmap'ed buffer for the entire input file */ + size_t buf_len; /* length of the input file */ + size_t len; struct stat sb; /* Determine the size of the file, needed for mmap: */ if (fstat(ifd, &sb) < 0) return Z_ERRNO; - buf_len = sb.st_size; - if (buf_len <= 0) return Z_ERRNO; + /* Check size_t overflow */ + if (sb.st_size <= 0 || sb.st_size > PTRDIFF_MAX) return Z_ERRNO; + buf_len = (size_t)sb.st_size; /* Now do the actual mmap: */ - buf = mmap((void *)0, buf_len, PROT_READ, MAP_SHARED, ifd, (off_t)0); - if (buf == (char *)(-1)) return Z_ERRNO; + buf = mmap(NULL, buf_len, PROT_READ, MAP_SHARED, ifd, (off_t)0); + if (buf == MAP_FAILED) return Z_ERRNO; /* Compress the whole file at once: */ - len = PREFIX(gzwrite)(out, buf, (unsigned)buf_len); + len = PREFIX(gzfwrite)(buf, 1, buf_len, out); - if (len != (int)buf_len) gz_fatal(out); + if (len != buf_len) gz_fatal(out); munmap(buf, buf_len); fclose(in); |