Merge "Fix broken pointer overflow check ns_name_unpack()"

commit: b145b5ef7c91ec76e4dc8450f70b7af80873b46e [log] [tgz]
author: Calin Juravle <calin@google.com> Fri Mar 07 11:46:48 2014 +0000
committer: Gerrit Code Review <noreply-gerritcodereview@google.com> Fri Mar 07 11:46:48 2014 +0000
tree: 30c46ccb3af27c32ce7db1b92756b892c9d0c5ea
parent: d9ba757ef4546ef931cfa2fff4e206b36c955ead [diff]
parent: 85c5202a64e3cb63e54550fca7bb11f24b9d12cc [diff]
diff --git a/libc/dns/nameser/ns_name.c b/libc/dns/nameser/ns_name.c
index 12bf029..e3759ab 100644
--- a/libc/dns/nameser/ns_name.c
+++ b/libc/dns/nameser/ns_name.c

@@ -473,11 +473,14 @@
 				_DIAGASSERT(__type_fit(int, srcp - src + 1));
 				len = (int)(srcp - src + 1);
 			}
-			srcp = msg + (((n & 0x3f) << 8) | (*srcp & 0xff));
-			if (srcp < msg || srcp >= eom) {  /* Out of range. */
+			// BEGIN android-changed: safer pointer overflow check
+			l = (((n & 0x3f) << 8) | (*srcp & 0xff));
+			if (l >= eom - msg) {  /* Out of range. */
 				errno = EMSGSIZE;
 				return (-1);
 			}
+			srcp = msg + l;
+			// END android-changed
 			checked += 2;
 			/*
 			 * Check for loops in the compressed name;
commit	b145b5ef7c91ec76e4dc8450f70b7af80873b46e	[log] [tgz]
author	Calin Juravle <calin@google.com>	Fri Mar 07 11:46:48 2014 +0000
committer	Gerrit Code Review <noreply-gerritcodereview@google.com>	Fri Mar 07 11:46:48 2014 +0000
tree	30c46ccb3af27c32ce7db1b92756b892c9d0c5ea
parent	d9ba757ef4546ef931cfa2fff4e206b36c955ead [diff]
parent	85c5202a64e3cb63e54550fca7bb11f24b9d12cc [diff]