From e172874cc65f39e79ae895d35382d2fa3061d3dd Mon Sep 17 00:00:00 2001
From: Max Kellermann <max@duempel.org>
Date: Thu, 23 Oct 2008 09:54:10 +0200
Subject: command: check over/underflows in check_int()

The "long" result of strtol() was implicitly casted down to a 32 bit
integer.  Add some range checking instead.
---
 src/command.c | 15 +++++++++++++--
 1 file changed, 13 insertions(+), 2 deletions(-)

(limited to 'src')

diff --git a/src/command.c b/src/command.c
index 853c7d798..2f567e25b 100644
--- a/src/command.c
+++ b/src/command.c
@@ -129,12 +129,13 @@ check_uint32(struct client *client, uint32_t *dst,
 }
 
 static bool mpd_fprintf__
-check_int(struct client *client, int *dst,
+check_int(struct client *client, int *value_r,
 	  const char *s, const char *fmt, ...)
 {
 	char *test;
+	long value;
 
-	*dst = strtol(s, &test, 10);
+	value = strtol(s, &test, 10);
 	if (*test != '\0') {
 		va_list args;
 		va_start(args, fmt);
@@ -142,6 +143,16 @@ check_int(struct client *client, int *dst,
 		va_end(args);
 		return false;
 	}
+
+#if LONG_MAX > INT_MAX
+	if (value < INT_MIN || value > INT_MAX) {
+		command_error(client, ACK_ERROR_ARG,
+			      "Number too large: %s", s);
+		return false;
+	}
+#endif
+
+	*value_r = (int)value;
 	return true;
 }
 
-- 
cgit v1.2.3