commit 2fe3ac71d35e68d1d42273a3925b9f7dc8020742
parent 8038bf6547e85382dcb6696c55bec8d8b127e668
Author: Rolf Eike Beer <eike@sf-mail.de>
Date: Fri, 8 May 2020 22:56:57 +0200
genalloc: make sure allocation sizes never overflow
Fixes the remainder of CVE-2005-1513.
Diffstat:
1 file changed, 7 insertions(+), 2 deletions(-)
diff --git a/gen_allocdefs.h b/gen_allocdefs.h
@@ -8,6 +8,7 @@
#define GEN_ALLOC_readyplus(ta,type,field,len,a,base,ta_rplus) \
static int ta_rplus ## _internal (ta *x, unsigned int n, unsigned int pluslen) \
{ \
+ unsigned int nlen; \
errno = error_nomem; \
if (x->field) { \
unsigned int nnum; \
@@ -17,12 +18,16 @@ static int ta_rplus ## _internal (ta *x, unsigned int n, unsigned int pluslen) \
return 1; \
if (__builtin_add_overflow(n, (n >> 3) + base, &nnum)) \
return 0; \
- if (!alloc_re(&x->field,x->a * sizeof(type),nnum * sizeof(type))) \
+ if (__builtin_mul_overflow(nnum, sizeof(type), &nlen)) \
+ return 0; \
+ if (!alloc_re(&x->field,x->a * sizeof(type),nlen)) \
return 0; \
x->a = nnum; \
return 1; } \
x->len = 0; \
- x->field = (type *) alloc(n * sizeof(type)); \
+ if (__builtin_mul_overflow(n, sizeof(type), &nlen)) \
+ return 0; \
+ x->field = alloc(nlen); \
if (!x->field) \
return 0; \
x->a = n; \
