summaryrefslogtreecommitdiff
path: root/common
diff options
context:
space:
mode:
authorStef Walter <stef@thewalter.net>2013-07-16 21:20:44 +0200
committerStef Walter <stef@thewalter.net>2013-07-18 06:58:09 +0200
commit9886b39e2ebd2f711b5b0c3ca2e24694a9ffd361 (patch)
treef409c3f547fc3ae2590f8ba3818625b2f1137bb8 /common
parent0ddd67184b65dfde0e5d05a957f01eeca161e384 (diff)
buffer: Check for unlikely integer overflow
If we see an integer overflow here something has gone horribly wrong (or malicious code is present). So treat this as unrecoverable, and fail if we're going to overflow. https://bugzilla.redhat.com/show_bug.cgi?id=985019
Diffstat (limited to 'common')
-rw-r--r--common/buffer.c6
1 files changed, 6 insertions, 0 deletions
diff --git a/common/buffer.c b/common/buffer.c
index dc46fcb..f2e2cb8 100644
--- a/common/buffer.c
+++ b/common/buffer.c
@@ -39,6 +39,7 @@
#include "debug.h"
#include <assert.h>
+#include <stdint.h>
#include <stdlib.h>
#include <string.h>
#include <stdarg.h>
@@ -152,11 +153,16 @@ p11_buffer_append (p11_buffer *buffer,
return_val_if_fail (p11_buffer_ok (buffer), NULL);
terminator = (buffer->flags & P11_BUFFER_NULL) ? 1 : 0;
+
+ /* Check for unlikely and unrecoverable integer overflow */
+ return_val_if_fail (SIZE_MAX - (terminator + length) > buffer->len, NULL);
+
reserve = terminator + length + buffer->len;
if (reserve > buffer->size) {
/* Calculate a new length, minimize number of buffer allocations */
+ return_val_if_fail (buffer->size < SIZE_MAX / 2, NULL);
newlen = buffer->size * 2;
if (!newlen)
newlen = 16;