Ticket #4230: 0001-Prevent-integer-overflows-in-smartlist_ensure_capaci.patch

File 0001-Prevent-integer-overflows-in-smartlist_ensure_capaci.patch, 1.3 KB (added by mansour, 8 years ago)
  • src/common/container.c

    From 0a6b304b52a4808caf44843a066180aaaf3dbaf5 Mon Sep 17 00:00:00 2001
    From: Mansour Moufid <mansourmoufid@gmail.com>
    Date: Thu, 20 Oct 2011 13:53:59 -0400
    Subject: [PATCH] Prevent integer overflows in `smartlist_ensure_capacity'.
    
    ---
     src/common/container.c |   15 ++++++++++++---
     1 files changed, 12 insertions(+), 3 deletions(-)
    
    diff --git a/src/common/container.c b/src/common/container.c
    index 92bfd2e..e6d6dd3 100644
    a b  
    1616#include "torlog.h"
    1717#include "container.h"
    1818#include "crypto.h"
     19#include "torint.h"
    1920
    2021#include <stdlib.h>
    2122#include <string.h>
    smartlist_clear(smartlist_t *sl) 
    6263static INLINE void
    6364smartlist_ensure_capacity(smartlist_t *sl, int size)
    6465{
     66  tor_assert(size >= 0);
     67  tor_assert(sl->capacity >= 0);
    6568  if (size > sl->capacity) {
    66     int higher = sl->capacity * 2;
    67     while (size > higher)
     69    int higher = INT_MAX;
     70    if (sl->capacity <= INT_MAX / 2)
     71      higher = sl->capacity * 2;
     72    while (size > higher) {
     73      if (higher > INT_MAX / 2) {
     74        higher = INT_MAX;
     75        break;
     76      }
    6877      higher *= 2;
    69     tor_assert(higher > 0); /* detect overflow */
     78    }
    7079    sl->capacity = higher;
    7180    sl->list = tor_realloc(sl->list, sizeof(void*)*sl->capacity);
    7281  }