Fix size_t overflow in Malloc() argument in ReadParams()#77
Conversation
There were still two issues after commit b0eabca (Update fcgiapp.c, Fixing an integer overflow (CVE-2025-23016)): * Signed int overflow in "nameLen + valueLen + 2" expression. * Sizes of size_t and int types are in general unrelated. This fix resolves both of the issues. Related to CVE-2025-23016. Resolve FastCGI-Archives#67. Signed-off-by: Petr Písař <[email protected]>
ppisar
force-pushed
the
CVE-2025-23016-malloc
branch
from
a6dd59b to
7c47639
Compare
| #include <memory.h> /* for memchr() */ | ||
| #include <stdarg.h> | ||
| #include <stdio.h> | ||
| #include <stdint.h> |
There was a problem hiding this comment.
This introduces an implicit dependency to at least C99.
LeSpocky
left a comment
LeSpocky
left a comment
There was a problem hiding this comment.
I'm not familiar with autotools, but shouldn't that new dependency somehow be reflected by the build system?
the build action seem to work. but i have now the warning: @ppisar ppisar i think |
|
Of course the types used in this function are badly chosen. I'm glad you have find it out. But don't forget that you won't escape the comparison: FCGX_GetChar() returns int, so you need to validate the range when assigning its return value to By the way the signed comparison warning comes from the fact that your standard library defines the SIZE_MAX constant value with LU suffix. Another option would be simply type-casting nameLen to uintmax_t in the comparison ( |
3 participants
There were still two issues after commit
b0eabca (Update fcgiapp.c, Fixing an integer overflow (CVE-2025-23016)):
Signed int overflow in "nameLen + valueLen + 2" expression.
Sizes of size_t and int types are in general unrelated.
This fix resolves both of the issues.
Related to CVE-2025-23016.
Resolve #67.