From 9886b39e2ebd2f711b5b0c3ca2e24694a9ffd361 Mon Sep 17 00:00:00 2001
From: Stef Walter <stef@thewalter.net>
Date: Tue, 16 Jul 2013 21:20:44 +0200
Subject: buffer: Check for unlikely integer overflow

If we see an integer overflow here something has gone horribly wrong
(or malicious code is present). So treat this as unrecoverable, and
fail if we're going to overflow.

https://bugzilla.redhat.com/show_bug.cgi?id=985019
---
 common/buffer.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/common/buffer.c b/common/buffer.c
index dc46fcb..f2e2cb8 100644
--- a/common/buffer.c
+++ b/common/buffer.c
@@ -39,6 +39,7 @@
 #include "debug.h"
 
 #include <assert.h>
+#include <stdint.h>
 #include <stdlib.h>
 #include <string.h>
 #include <stdarg.h>
@@ -152,11 +153,16 @@ p11_buffer_append (p11_buffer *buffer,
 	return_val_if_fail (p11_buffer_ok (buffer), NULL);
 
 	terminator = (buffer->flags & P11_BUFFER_NULL) ? 1 : 0;
+
+	/* Check for unlikely and unrecoverable integer overflow */
+	return_val_if_fail (SIZE_MAX - (terminator + length) > buffer->len, NULL);
+
 	reserve = terminator + length + buffer->len;
 
 	if (reserve > buffer->size) {
 
 		/* Calculate a new length, minimize number of buffer allocations */
+		return_val_if_fail (buffer->size < SIZE_MAX / 2, NULL);
 		newlen = buffer->size * 2;
 		if (!newlen)
 			newlen = 16;
-- 
cgit v1.1