From ead7c462846401cd3cb9e770b6ab1bae2fa9d7bb Mon Sep 17 00:00:00 2001
From: Kaz Kylheku <kaz@kylheku.com>
Date: Thu, 12 Sep 2019 06:55:22 -0700
Subject: Improve overflow checks in string catenation.

* lib.c (cat_str, vscat): Use size_t type for the total, so
that the wrapping behavior we depend on for overflow detection
is well-defined. Also, there was an overflow check missing for
the total + 1 beign passed to chk_wmalloc. Instead of adding
that overflow check, let's just start the total at 1.
---
 lib.c | 16 ++++++++--------
 1 file changed, 8 insertions(+), 8 deletions(-)

diff --git a/lib.c b/lib.c
index 467b1785..90137512 100644
--- a/lib.c
+++ b/lib.c
@@ -3896,7 +3896,7 @@ val replace_str(val str_in, val items, val from, val to)
 
 val cat_str(val list, val sep)
 {
-  cnum total = 0;
+  size_t total = 1;
   val iter;
   wchar_t *str, *ptr;
   wchar_t onech[] = wini(" ");
@@ -3917,7 +3917,7 @@ val cat_str(val list, val sep)
     if (!item)
       continue;
     if (stringp(item)) {
-      cnum ntotal = total + c_num(length_str(item));
+      size_t ntotal = total + c_num(length_str(item));
 
       if (len_sep && cdr(iter))
         ntotal += len_sep;
@@ -3930,7 +3930,7 @@ val cat_str(val list, val sep)
       continue;
     }
     if (chrp(item)) {
-      cnum ntotal = total + 1;
+      size_t ntotal = total + 1;
 
       if (len_sep && cdr(iter))
         ntotal += len_sep;
@@ -3946,7 +3946,7 @@ val cat_str(val list, val sep)
               item, nao);
   }
 
-  str = chk_wmalloc(total + 1);
+  str = chk_wmalloc(total);
 
   for (ptr = str, iter = list; iter != nil; iter = cdr(iter)) {
     val item = car(iter);
@@ -3976,7 +3976,7 @@ oflow:
 
 static val vscat(val sep, va_list vl1, va_list vl2)
 {
-  cnum total = 0;
+  size_t total = 1;
   val item, next;
   wchar_t *str, *ptr;
   cnum len_sep = (!null_or_missing_p(sep)) ? c_num(length_str(sep)) : 0;
@@ -3986,7 +3986,7 @@ static val vscat(val sep, va_list vl1, va_list vl2)
     next = va_arg(vl1, val);
 
     if (stringp(item)) {
-      cnum ntotal = total + c_num(length_str(item));
+      size_t ntotal = total + c_num(length_str(item));
 
       if (len_sep && next != nao)
         ntotal += len_sep;
@@ -3999,7 +3999,7 @@ static val vscat(val sep, va_list vl1, va_list vl2)
       continue;
     }
     if (chrp(item)) {
-      cnum ntotal = total + 1;
+      size_t ntotal = total + 1;
 
       if (len_sep && next != nao)
         ntotal += len_sep;
@@ -4015,7 +4015,7 @@ static val vscat(val sep, va_list vl1, va_list vl2)
               item, nao);
   }
 
-  str = chk_wmalloc(total + 1);
+  str = chk_wmalloc(total);
 
   for (ptr = str, item = va_arg(vl2, val); item != nao; item = next)
   {
-- 
cgit v1.2.3