Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-15:Update
p11-kit.25027
0001-Check-for-arithmetic-overflows-before-allo...
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File 0001-Check-for-arithmetic-overflows-before-allocating.patch of Package p11-kit.25027
From 6c1c94bd2360f5778beb397ba5508d5084b7f0ee Mon Sep 17 00:00:00 2001 From: David Cook <divergentdave@gmail.com> Date: Sat, 7 Nov 2020 10:12:44 -0600 Subject: [PATCH] Check for arithmetic overflows before allocating --- p11-kit/iter.c | 4 ++-- p11-kit/lists.c | 2 ++ p11-kit/proxy.c | 2 +- p11-kit/rpc-message.c | 13 +++++++++++++ p11-kit/rpc-message.h | 4 ++++ p11-kit/rpc-server.c | 8 ++++---- trust/index.c | 4 ++-- 7 files changed, 28 insertions(+), 9 deletions(-) Index: p11-kit-0.23.2/p11-kit/iter.c =================================================================== --- p11-kit-0.23.2.orig/p11-kit/iter.c +++ p11-kit-0.23.2/p11-kit/iter.c @@ -490,7 +490,7 @@ move_next_session (P11KitIter *iter) if (rv != CKR_OK) return finish_iterating (iter, rv); - iter->slots = realloc (iter->slots, sizeof (CK_SLOT_ID) * (num_slots + 1)); + iter->slots = reallocarray (iter->slots, (num_slots + 1), sizeof (CK_SLOT_ID) ); return_val_if_fail (iter->slots != NULL, CKR_HOST_MEMORY); rv = (iter->module->C_GetSlotList) (CK_TRUE, iter->slots, &num_slots); @@ -604,7 +604,7 @@ p11_kit_iter_next (P11KitIter *iter) for (;;) { if (iter->max_objects - iter->num_objects == 0) { iter->max_objects = iter->max_objects ? iter->max_objects * 2 : 64; - iter->objects = realloc (iter->objects, iter->max_objects * sizeof (CK_ULONG)); + iter->objects = reallocarray (iter->objects, sizeof (CK_ULONG), iter->max_objects ); return_val_if_fail (iter->objects != NULL, CKR_HOST_MEMORY); } Index: p11-kit-0.23.2/p11-kit/lists.c =================================================================== --- p11-kit-0.23.2.orig/p11-kit/lists.c +++ p11-kit-0.23.2/p11-kit/lists.c @@ -64,6 +64,8 @@ hex_encode (const unsigned char *data, size_t i; size_t o; + if ((SIZE_MAX - 1) / 3 < n_data) + return NULL; result = malloc (n_data * 3 + 1); if (result == NULL) return NULL; Index: p11-kit-0.23.2/p11-kit/proxy.c =================================================================== --- p11-kit-0.23.2.orig/p11-kit/proxy.c +++ p11-kit-0.23.2/p11-kit/proxy.c @@ -287,7 +287,7 @@ proxy_create (Proxy **res) return_val_if_fail (count == 0 || slots != NULL, CKR_GENERAL_ERROR); - py->mappings = realloc (py->mappings, sizeof (Mapping) * (py->n_mappings + count)); + py->mappings = reallocarray (py->mappings, (py->n_mappings + count), sizeof (Mapping) ); return_val_if_fail (py->mappings != NULL, CKR_HOST_MEMORY); /* And now add a mapping for each of those slots */ Index: p11-kit-0.23.2/p11-kit/rpc-message.c =================================================================== --- p11-kit-0.23.2.orig/p11-kit/rpc-message.c +++ p11-kit-0.23.2/p11-kit/rpc-message.c @@ -42,6 +42,7 @@ #include "rpc-message.h" #include <assert.h> +#include <errno.h> #include <string.h> void @@ -111,6 +112,18 @@ p11_rpc_message_alloc_extra (p11_rpc_mes return (void *)(data + 1); } +void * +p11_rpc_message_alloc_extra_array (p11_rpc_message *msg, + size_t nmemb, + size_t size) +{ + if ((SIZE_MAX - sizeof (void *)) / nmemb < size) { + errno = ENOMEM; + return NULL; + } + return p11_rpc_message_alloc_extra (msg, nmemb * size); +} + bool p11_rpc_message_prep (p11_rpc_message *msg, int call_id, Index: p11-kit-0.23.2/p11-kit/rpc-message.h =================================================================== --- p11-kit-0.23.2.orig/p11-kit/rpc-message.h +++ p11-kit-0.23.2/p11-kit/rpc-message.h @@ -243,6 +243,10 @@ void p11_rpc_message_clear void * p11_rpc_message_alloc_extra (p11_rpc_message *msg, size_t length); +void * p11_rpc_message_alloc_extra_array (p11_rpc_message *msg, + size_t nmemb, + size_t size); + bool p11_rpc_message_prep (p11_rpc_message *msg, int call_id, p11_rpc_message_type type); Index: p11-kit-0.23.2/p11-kit/rpc-server.c =================================================================== --- p11-kit-0.23.2.orig/p11-kit/rpc-server.c +++ p11-kit-0.23.2/p11-kit/rpc-server.c @@ -83,7 +83,7 @@ proto_read_byte_buffer (p11_rpc_message if (length == 0) return CKR_OK; - *buffer = p11_rpc_message_alloc_extra (msg, length * sizeof (CK_BYTE)); + *buffer = p11_rpc_message_alloc_extra_array (msg, length, sizeof (CK_BYTE)); if (*buffer == NULL) return CKR_DEVICE_MEMORY; @@ -181,7 +181,7 @@ proto_read_ulong_buffer (p11_rpc_message if (length == 0) return CKR_OK; - *buffer = p11_rpc_message_alloc_extra (msg, length * sizeof (CK_ULONG)); + *buffer = p11_rpc_message_alloc_extra_array (msg, length, sizeof (CK_ULONG)); if (!*buffer) return CKR_DEVICE_MEMORY; @@ -241,7 +241,7 @@ proto_read_attribute_buffer (p11_rpc_mes return PARSE_ERROR; /* Allocate memory for the attribute structures */ - attrs = p11_rpc_message_alloc_extra (msg, n_attrs * sizeof (CK_ATTRIBUTE)); + attrs = p11_rpc_message_alloc_extra_array (msg, n_attrs, sizeof (CK_ATTRIBUTE)); if (attrs == NULL) return CKR_DEVICE_MEMORY; @@ -299,7 +299,7 @@ proto_read_attribute_array (p11_rpc_mess return PARSE_ERROR; /* Allocate memory for the attribute structures */ - attrs = p11_rpc_message_alloc_extra (msg, n_attrs * sizeof (CK_ATTRIBUTE)); + attrs = p11_rpc_message_alloc_extra_array (msg, n_attrs, sizeof (CK_ATTRIBUTE)); if (attrs == NULL) return CKR_DEVICE_MEMORY; Index: p11-kit-0.23.2/trust/index.c =================================================================== --- p11-kit-0.23.2.orig/trust/index.c +++ p11-kit-0.23.2/trust/index.c @@ -263,7 +263,7 @@ bucket_insert (index_bucket *bucket, if (bucket->num + 1 > alloc) { alloc = alloc ? alloc * 2 : 1; return_if_fail (alloc != 0); - bucket->elem = realloc (bucket->elem, alloc * sizeof (CK_OBJECT_HANDLE)); + bucket->elem = reallocarray (bucket->elem, sizeof (CK_OBJECT_HANDLE), alloc); } return_if_fail (bucket->elem != NULL); @@ -283,7 +283,7 @@ bucket_push (index_bucket *bucket, if (bucket->num + 1 > alloc) { alloc = alloc ? alloc * 2 : 1; return_val_if_fail (alloc != 0, false); - bucket->elem = realloc (bucket->elem, alloc * sizeof (CK_OBJECT_HANDLE)); + bucket->elem = reallocarray (bucket->elem, sizeof (CK_OBJECT_HANDLE), alloc); } return_val_if_fail (bucket->elem != NULL, false);
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor
