diff options
author | Stef Walter <stef@thewalter.net> | 2013-07-16 21:20:44 +0200 |
---|---|---|
committer | Stef Walter <stef@thewalter.net> | 2013-07-18 06:58:09 +0200 |
commit | 9886b39e2ebd2f711b5b0c3ca2e24694a9ffd361 (patch) | |
tree | f409c3f547fc3ae2590f8ba3818625b2f1137bb8 | |
parent | 0ddd67184b65dfde0e5d05a957f01eeca161e384 (diff) |
buffer: Check for unlikely integer overflow
If we see an integer overflow here something has gone horribly wrong
(or malicious code is present). So treat this as unrecoverable, and
fail if we're going to overflow.
https://bugzilla.redhat.com/show_bug.cgi?id=985019
-rw-r--r-- | common/buffer.c | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/common/buffer.c b/common/buffer.c index dc46fcb..f2e2cb8 100644 --- a/common/buffer.c +++ b/common/buffer.c @@ -39,6 +39,7 @@ #include "debug.h" #include <assert.h> +#include <stdint.h> #include <stdlib.h> #include <string.h> #include <stdarg.h> @@ -152,11 +153,16 @@ p11_buffer_append (p11_buffer *buffer, return_val_if_fail (p11_buffer_ok (buffer), NULL); terminator = (buffer->flags & P11_BUFFER_NULL) ? 1 : 0; + + /* Check for unlikely and unrecoverable integer overflow */ + return_val_if_fail (SIZE_MAX - (terminator + length) > buffer->len, NULL); + reserve = terminator + length + buffer->len; if (reserve > buffer->size) { /* Calculate a new length, minimize number of buffer allocations */ + return_val_if_fail (buffer->size < SIZE_MAX / 2, NULL); newlen = buffer->size * 2; if (!newlen) newlen = 16; |