Skip to content

Guard allocation-size calculation in ctest_sprintf#330

Open
orbisai0security wants to merge 2 commits into
Azure:masterfrom
orbisai0security:fix-v-001-malloc-null-check-integer-overflow
Open

Guard allocation-size calculation in ctest_sprintf#330
orbisai0security wants to merge 2 commits into
Azure:masterfrom
orbisai0security:fix-v-001-malloc-null-check-integer-overflow

Conversation

@orbisai0security
Copy link
Copy Markdown

@orbisai0security orbisai0security commented May 16, 2026
edited
Loading

This PR fixes a narrowly scoped defensive integer-overflow edge case in ctest.c.

The existing code already checks the result of malloc, so this is not a missing NULL-check fix. However, neededSize is an int returned from vsnprintf, and the expression neededSize + 1 is evaluated as signed integer arithmetic before being passed to malloc. If neededSize were INT_MAX, the addition could overflow before conversion to size_t.

This patch adds an explicit guard before the allocation-size calculation and keeps the existing malloc NULL check.

Vulnerability

Field Value
ID V-001
Severity Low / defensive hardening
CWE CWE-190
File src/ctest.c

Changes

  • src/ctest.c: move #include <limits.h> unconditional; add INT_MAX guard before allocation-size arithmetic

@orbisai0security
fix: V-001 security vulnerability
2aee644 
Automated security fix generated by Orbis Security AI
mattdurak
mattdurak reviewed Jun 5, 2026
View reviewed changes
Comment thread src/ctest.c
{
result = malloc(neededSize + 1);
result = malloc((size_t)neededSize + 1);
if (result == NULL)
Copy link
Copy Markdown
Contributor

@mattdurak mattdurak Jun 5, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

PR description claims that the malloc on line 623 is not checked for NULL, the check is here on line 624.

Copy link
Copy Markdown
Author

@orbisai0security orbisai0security Jun 6, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You're right — the PR description was wrong. The existing code does check malloc for NULL immediately after allocation.

I've reframed this as a narrower defensive integer-overflow fix: guarding the neededSize + 1 allocation-size calculation before the addition is evaluated. I'll update the PR title/description and patch accordingly. If you think this edge case is too theoretical for this project, I'm also happy to close it.

Copy link
Copy Markdown
Author

@orbisai0security orbisai0security Jun 6, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You’re right, the PR description was wrong. The existing code does check malloc for NULL immediately after allocation.

I’ve reframed this as a narrower defensive integer-overflow fix: guarding the neededSize + 1 allocation-size calculation before the addition is evaluated. I’ve updated the PR title/description and patched accordingly.

@orbisai0security @claude
fix: guard allocation-size calculation against signed int overflow in…
8169a79 
… ctest_vsprintf_char

neededSize + 1 is evaluated as signed int arithmetic before promotion to size_t.
Add explicit INT_MAX guard (CWE-190) and move limits.h unconditional so INT_MAX
is available on all platforms.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@orbisai0security orbisai0security changed the title fix: in src/ctest in ctest.c Guard allocation-size calculation in ctest_sprintf Jun 6, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mattdurak mattdurak mattdurak left review comments

@anporumb anporumb Awaiting requested review from anporumb

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@orbisai0security @mattdurak