From a6913f97b23e96bbdb424c2fa7f41f96c82ca912 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Henrik=20Grubbstr=C3=B6m=20=28Grubba=29?=
 <grubba@grubba.org>
Date: Thu, 8 Oct 2015 14:07:19 +0200
Subject: [PATCH] Inotify: Minor code cleanup. Potential fix for [CID 1325796].

---
 src/modules/Inotify/inotify.cmod | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/src/modules/Inotify/inotify.cmod b/src/modules/Inotify/inotify.cmod
index ead55d47f4..932ae541a3 100644
--- a/src/modules/Inotify/inotify.cmod
+++ b/src/modules/Inotify/inotify.cmod
@@ -384,14 +384,18 @@ PIKECLASS _Instance {
 	    }
 	    while (THIS->buf.s->len >=
 		   (off + (ptrdiff_t)sizeof(struct inotify_event))) {
+	        /* NB: Assumes that e->len has a valid alignment
+		 *     for the struct. This could cause problems
+		 *     on non-x86 systems and injected data.
+		 */
 		struct inotify_event *e = (void *)(THIS->buf.s->str + off);
 		const char *path = (char *)(e + 1);
-		if ((off + (ptrdiff_t)sizeof(struct inotify_event) + e->len) >
-		    THIS->buf.s->len) {
+		ptrdiff_t new_off = off + sizeof(struct inotify_event) + e->len;
+		if (new_off > THIS->buf.s->len) {
 		    /* Not enough data for the filename yet. */
 		    break;
 		}
-		off += sizeof(struct inotify_event) + e->len;
+		off = new_off;
 
 		push_int(e->wd);
 		push_int(e->mask);
-- 
GitLab