SECURITY: fix botched integer overflow handling logic in stralloc_ready (Giorgio)

2015-04-09 18:23:23 +00:00 · 2015-04-09 18:23:23 +00:00 · 79f534ffdf
commit 79f534ffdf
parent d0e735e2c2
2 changed files with 3 additions and 1 deletions
--- a/1
+++ b/1
@ -28,6 +28,7 @@
    zero length buffer
  if SOCK_NONBLOCK is defined, use it instead of socket+fcntl
  ... but if errno==EINVAL still fall back to socket+fcntl (Robert Henney)
+  SECURITY: fix botched integer overflow handling logic in stralloc_ready (Giorgio)

 0.29:
  save 8 bytes in taia.h for 64-bit systems
--- a/stralloc/stralloc_ready.c
+++ b/stralloc/stralloc_ready.c
@ -9,7 +9,8 @@
 * old space, and returns 1. Note that this changes sa.s. */
 int stralloc_ready(stralloc *sa,size_t len) {
  register size_t wanted=len+(len>>3)+30; /* heuristic from djb */
-  if (wanted<len || !sa->s || sa->a<len) {
+  if (wanted<len) wanted=len;
+  if (!sa->s || sa->a<len) {
    register char* tmp;
    if (!(tmp=realloc(sa->s,wanted)))
      return 0;