Mercurial > dropbear
comparison buffer.c @ 1305:6914eedb1072
additional length checks
| author | Matt Johnston <matt@ucc.asn.au> |
|---|---|
| date | Mon, 11 Jul 2016 23:34:18 +0800 |
| parents | 2bb4c662d1c2 |
| children | 6fafb500de88 ce0931b7f4c2 |
comparison
equal
deleted
inserted
replaced
| 1304:b66a483f3dcb | 1305:6914eedb1072 |
|---|---|
| 139 } | 139 } |
| 140 | 140 |
| 141 /* increment the position by incr, negative values are allowed, to | 141 /* increment the position by incr, negative values are allowed, to |
| 142 * decrement the pos*/ | 142 * decrement the pos*/ |
| 143 void buf_incrpos(buffer* buf, int incr) { | 143 void buf_incrpos(buffer* buf, int incr) { |
| 144 if (incr > BUF_MAX_INCR || | 144 if (incr > BUF_MAX_INCR |
| 145 (unsigned int)((int)buf->pos + incr) > buf->len | 145 || incr < -BUF_MAX_INCR |
| 146 || ((int)buf->pos + incr) < 0) { | 146 || (unsigned int)((int)buf->pos + incr) > buf->len |
| 147 || ((int)buf->pos + incr) < 0) { | |
| 147 dropbear_exit("Bad buf_incrpos"); | 148 dropbear_exit("Bad buf_incrpos"); |
| 148 } | 149 } |
| 149 buf->pos += incr; | 150 buf->pos += incr; |
| 150 } | 151 } |
| 151 | 152 |
| 182 | 183 |
| 183 /* returns an in-place pointer to the buffer, checking that | 184 /* returns an in-place pointer to the buffer, checking that |
| 184 * the next len bytes from that position can be used */ | 185 * the next len bytes from that position can be used */ |
| 185 unsigned char* buf_getptr(buffer* buf, unsigned int len) { | 186 unsigned char* buf_getptr(buffer* buf, unsigned int len) { |
| 186 | 187 |
| 187 if (buf->pos + len > buf->len) { | 188 if (len > BUF_MAX_INCR || buf->pos + len > buf->len) { |
| 188 dropbear_exit("Bad buf_getptr"); | 189 dropbear_exit("Bad buf_getptr"); |
| 189 } | 190 } |
| 190 return &buf->data[buf->pos]; | 191 return &buf->data[buf->pos]; |
| 191 } | 192 } |
| 192 | 193 |
| 193 /* like buf_getptr, but checks against total size, not used length. | 194 /* like buf_getptr, but checks against total size, not used length. |
| 194 * This allows writing past the used length, but not past the size */ | 195 * This allows writing past the used length, but not past the size */ |
| 195 unsigned char* buf_getwriteptr(buffer* buf, unsigned int len) { | 196 unsigned char* buf_getwriteptr(buffer* buf, unsigned int len) { |
| 196 | 197 |
| 197 if (buf->pos + len > buf->size) { | 198 if (len > BUF_MAX_INCR || buf->pos + len > buf->size) { |
| 198 dropbear_exit("Bad buf_getwriteptr"); | 199 dropbear_exit("Bad buf_getwriteptr"); |
| 199 } | 200 } |
| 200 return &buf->data[buf->pos]; | 201 return &buf->data[buf->pos]; |
| 201 } | 202 } |
| 202 | 203 |