From cf8acae36a580935c42228f3d30f3e96c8a3ef59 Mon Sep 17 00:00:00 2001
From: Tobias Stoeckmann <tobias@stoeckmann.org>
Date: Tue, 7 May 2019 20:53:17 +0200
Subject: [PATCH] Prevent integer overflow in kq_build_changes_list.

On amd64 systems with kqueue (e.g. *BSD systems) an integer overflow
could be triggered with an excessively huge amount of events.

Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
---
 kqueue.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/kqueue.c b/kqueue.c
index a959c58a..9a249511 100644
--- a/kqueue.c
+++ b/kqueue.c
@@ -62,6 +62,7 @@
 #include "log-internal.h"
 #include "evmap-internal.h"
 #include "event2/thread.h"
+#include "event2/util.h"
 #include "evthread-internal.h"
 #include "changelist-internal.h"
 
@@ -210,6 +211,12 @@ kq_build_changes_list(const struct event_changelist *changelist,
 			int newsize = kqop->changes_size * 2;
 			struct kevent *newchanges;
 
+			if (newsize < 0 || (size_t)newsize >
+			    EV_SIZE_MAX / sizeof(struct kevent)) {
+				event_warnx("%s: int overflow", __func__);
+				return (-1);
+			}
+
 			newchanges = mm_realloc(kqop->changes,
 			    newsize * sizeof(struct kevent));
 			if (newchanges == NULL) {
-- 
2.40.0