diff options
| author | Stefan Boberg <[email protected]> | 2026-04-16 20:17:46 +0200 |
|---|---|---|
| committer | Stefan Boberg <[email protected]> | 2026-04-16 20:17:46 +0200 |
| commit | 003aedc75e4de4222ecc505afd286d4825bef70d (patch) | |
| tree | 1331ee96c90cc6a307dc6e780095e0802525ad14 /src/zenhttp/httpserver.cpp | |
| parent | Guard against ArgV overflow in Linux IterateCommandlineArgs (diff) | |
| download | archived-zen-003aedc75e4de4222ecc505afd286d4825bef70d.tar.xz archived-zen-003aedc75e4de4222ecc505afd286d4825bef70d.zip | |
Validate sizes and check errors in IoBufferBuilder::MakeFromFile
MakeFromFile had three related defects on the size-resolution path:
* On POSIX, fstat()'s return value was ignored. If fstat failed,
Stat.st_size was uninitialized, so FileSize became garbage and every
subsequent size calculation produced nonsense. The function would
happily return an IoBuffer wrapping a bogus range.
* On Windows, DataFile.GetSize() (which returns HRESULT) was called
without checking its result. Same failure mode -- FileSize could be
left uninitialized.
* `Size = FileSize - Offset` underflowed to a near-4 EiB value when the
caller passed an Offset beyond EOF, producing an IoBuffer that
claimed to cover the entire address space. The clamp branch also
computed `Offset + Size > FileSize`, which itself overflows when
Size is large.
Initialize FileSize to zero, check both GetSize and fstat return
values (closing the fd on POSIX), reject Offset > FileSize up front
with an empty IoBuffer, and reorder the clamp as
`Size > FileSize - Offset` so the subtraction is performed on
already-validated inputs.
Diffstat (limited to 'src/zenhttp/httpserver.cpp')
0 files changed, 0 insertions, 0 deletions