summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorStef Walter <stef@thewalter.net>2013-07-16 21:20:44 +0200
committerStef Walter <stef@thewalter.net>2013-07-18 06:58:09 +0200
commit9886b39e2ebd2f711b5b0c3ca2e24694a9ffd361 (patch)
treef409c3f547fc3ae2590f8ba3818625b2f1137bb8
parent0ddd67184b65dfde0e5d05a957f01eeca161e384 (diff)
buffer: Check for unlikely integer overflow
If we see an integer overflow here something has gone horribly wrong (or malicious code is present). So treat this as unrecoverable, and fail if we're going to overflow. https://bugzilla.redhat.com/show_bug.cgi?id=985019
-rw-r--r--common/buffer.c6
1 files changed, 6 insertions, 0 deletions
diff --git a/common/buffer.c b/common/buffer.c
index dc46fcb..f2e2cb8 100644
--- a/common/buffer.c
+++ b/common/buffer.c
@@ -39,6 +39,7 @@
#include "debug.h"
#include <assert.h>
+#include <stdint.h>
#include <stdlib.h>
#include <string.h>
#include <stdarg.h>
@@ -152,11 +153,16 @@ p11_buffer_append (p11_buffer *buffer,
return_val_if_fail (p11_buffer_ok (buffer), NULL);
terminator = (buffer->flags & P11_BUFFER_NULL) ? 1 : 0;
+
+ /* Check for unlikely and unrecoverable integer overflow */
+ return_val_if_fail (SIZE_MAX - (terminator + length) > buffer->len, NULL);
+
reserve = terminator + length + buffer->len;
if (reserve > buffer->size) {
/* Calculate a new length, minimize number of buffer allocations */
+ return_val_if_fail (buffer->size < SIZE_MAX / 2, NULL);
newlen = buffer->size * 2;
if (!newlen)
newlen = 16;