coverity 472862: cookiejar overflow

2025-03-16 00:00:07 +01:00 · 2025-01-16 10:32:03 +00:00 · 2025-01-16 10:32:03 +00:00 · fce734f279
commit fce734f279
parent e5506ade69
1 changed files with 20 additions and 3 deletions
--- a/lib/misc/cache-ttl/file.c
+++ b/lib/misc/cache-ttl/file.c
@ -163,7 +163,11 @@ nscookiejar_iterate(lws_cache_nscookiejar_t *cache, int fd,
 		lwsl_debug("%s: n %d, m %d\n", __func__, n, m);

 read:
-		n1 = (int)read(fd, temp + n, sizeof(temp) - (size_t)n);
+		if ((size_t)n >= sizeof(temp) - 1)
+			/* there's no space left in temp */
+			n1 = 0;
+		else
+			n1 = (int)read(fd, temp + n, sizeof(temp) - (size_t)n);

 		lwsl_debug("%s: n1 %d\n", __func__, n1);

@ -171,12 +175,18 @@ read:
 			eof = 1;
 			if (m == n)
 				continue;
-		} else
+		} else {
 			n += n1;

+			if ((size_t)n > sizeof(temp)) { /* coverity */
+				ret = -1;
+				goto bail;
+			}
+		}
+
 		while (m < n) {

-			m++;
+			m++; /* m can == n nw then */

 			if (temp[m - 1] != '\n')
 				continue;
@ -197,6 +207,13 @@ read:
 			 * cb can classify it even if it can't get all the
 			 * value part in one go
 			 */
+
+			/* coverity: we will blow up if m > n */
+			if (m > n) {
+				ret = -1;
+				goto bail;
+			}
+
 			memmove(temp, temp + m, (size_t)(n - m));
 			n -= m;
 			m = 0;