From: Stef Walter <stef@thewalter.net>
Date: Tue, 16 Jul 2013 19:20:44 +0000 (+0200)
Subject: buffer: Check for unlikely integer overflow
X-Git-Tag: 0.19.2~15
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=9886b39e2ebd2f711b5b0c3ca2e24694a9ffd361;p=p11-kit

buffer: Check for unlikely integer overflow

If we see an integer overflow here something has gone horribly wrong
(or malicious code is present). So treat this as unrecoverable, and
fail if we're going to overflow.

https://bugzilla.redhat.com/show_bug.cgi?id=985019
---

diff --git a/common/buffer.c b/common/buffer.c
index dc46fcb..f2e2cb8 100644
--- a/common/buffer.c
+++ b/common/buffer.c
@@ -39,6 +39,7 @@
 #include "debug.h"
 
 #include <assert.h>
+#include <stdint.h>
 #include <stdlib.h>
 #include <string.h>
 #include <stdarg.h>
@@ -152,11 +153,16 @@ p11_buffer_append (p11_buffer *buffer,
 	return_val_if_fail (p11_buffer_ok (buffer), NULL);
 
 	terminator = (buffer->flags & P11_BUFFER_NULL) ? 1 : 0;
+
+	/* Check for unlikely and unrecoverable integer overflow */
+	return_val_if_fail (SIZE_MAX - (terminator + length) > buffer->len, NULL);
+
 	reserve = terminator + length + buffer->len;
 
 	if (reserve > buffer->size) {
 
 		/* Calculate a new length, minimize number of buffer allocations */
+		return_val_if_fail (buffer->size < SIZE_MAX / 2, NULL);
 		newlen = buffer->size * 2;
 		if (!newlen)
 			newlen = 16;