Prevent endless loop in evmap_make_space.

If slot is larger than INT_MAX / 2, then the loop which increases
nentries until it is larger than slot would never return.

Also make sure that nentries * msize will never overflow INT_MAX.

Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>

diff --git a/evmap.c b/evmap.c
index 9e3449c5b1f60f7e094bdc546896c3fc5f718b16..ffc991f5ccd60c33fdee9cc73b6dfc2285092dae 100644 (file)
--- a/evmap.c
+++ b/evmap.c
@@ -208,9 +208,15 @@ evmap_make_space(struct event_signal_map *map, int slot, int msize)
                int nentries = map->nentries ? map->nentries : 32;
                void **tmp;
 
+               if (slot > INT_MAX / 2)
+                       return (-1);
+
                while (nentries <= slot)
                        nentries <<= 1;
 
+               if (nentries > INT_MAX / msize)
+                       return (-1);
+
                tmp = (void **)mm_realloc(map->entries, nentries * msize);
                if (tmp == NULL)
                        return (-1);