]> granicus.if.org Git - libevent/commitdiff
buffer: fix overflow check in evbuffer_expand_singlechain()
authorAzat Khuzhin <a3at.mail@gmail.com>
Tue, 21 Jun 2016 16:49:57 +0000 (19:49 +0300)
committerAzat Khuzhin <a3at.mail@gmail.com>
Sat, 25 Jun 2016 22:59:42 +0000 (01:59 +0300)
Refs: #306
Fixes: #340
Fixes: 20d6d4458bee5d88bda1511c225c25b2d3198d6c
buffer.c

index 6786f9024c7724f7dffa18eaad960fb539c427df..1a35fb21d2d65d4d957a921cf1162179eed41317 100644 (file)
--- a/buffer.c
+++ b/buffer.c
@@ -1982,8 +1982,7 @@ evbuffer_expand_singlechain(struct evbuffer *buf, size_t datlen)
        /* Would expanding this chunk be affordable and worthwhile? */
        if (CHAIN_SPACE_LEN(chain) < chain->buffer_len / 8 ||
            chain->off > MAX_TO_COPY_IN_EXPAND ||
-           (datlen < EVBUFFER_CHAIN_MAX &&
-               EVBUFFER_CHAIN_MAX - datlen >= chain->off)) {
+               datlen >= (EVBUFFER_CHAIN_MAX - chain->off)) {
                /* It's not worth resizing this chain. Can the next one be
                 * used? */
                if (chain->next && CHAIN_SPACE_LEN(chain->next) >= datlen) {