Zsh Mailing List Archive Messages sorted by: Reverse Date, Date, Thread, Author

PATCH: Coverity CID 1637382 bsiz can overflow when reading a large heredoc

X-seq: zsh-workers 54538
From: Mikael Magnusson <mikachu@xxxxxxxxx>
To: zsh-workers@xxxxxxx
Subject: PATCH: Coverity CID 1637382 bsiz can overflow when reading a large heredoc
Date: Thu, 14 May 2026 17:19:55 +0200
Archived-at: <https://zsh.org/workers/54538>
In-reply-to: <20260514152003.27178-1-mikachu@gmail.com>
List-id: <zsh-workers.zsh.org>
References: <20260514152003.27178-1-mikachu@gmail.com>

Use a size_t and explicit size check, although presumably the realloc
will fail long before we get to this point. In theory if we did, though,
the code would loop forever with bsiz==0 which wouldn't be great.
---
 Src/exec.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/Src/exec.c b/Src/exec.c
index 7ea669f35b..2c730b9109 100644
--- a/Src/exec.c
+++ b/Src/exec.c
@@ -4574,7 +4574,8 @@ char *
 gethere(char **strp, int typ)
 {
     char *buf;
-    int bsiz, qt = 0, strip = 0;
+    int qt = 0, strip = 0;
+    size_t bsiz;
     char *s, *t, *bptr, c;
     char *str = *strp;
 
@@ -4601,7 +4602,7 @@ gethere(char **strp, int typ)
 	    if (bptr >= buf + bsiz - 2) {
 		ptrdiff_t toff = t - buf;
 		ptrdiff_t bptroff = bptr - buf;
-		char *newbuf = realloc(buf, 2 * bsiz);
+		char *newbuf = (bsiz <= SIZE_MAX / 2 ) ? realloc(buf, 2 * bsiz) : NULL;
 		if (!newbuf) {
 		    /* out of memory */
 		    zfree(buf, bsiz);
-- 
2.38.1

References:
- Coverity patches
  - From: Mikael Magnusson

Messages sorted by: Reverse Date, Date, Thread, Author