diff options
author | marha <marha@users.sourceforge.net> | 2012-06-15 14:13:55 +0200 |
---|---|---|
committer | marha <marha@users.sourceforge.net> | 2012-06-15 14:13:55 +0200 |
commit | 1501699f035761714a1d4540d65a1afb7c567abe (patch) | |
tree | 4dd4d15583d9d542a699833331f34ceb10bbd6c3 /openssl/crypto/buffer | |
parent | 38c18d1733e4eb5cc560a34bfe2470e01a06205d (diff) | |
parent | a33de30073bfa0ee1abba186dba9fa52cf0aa23a (diff) | |
download | vcxsrv-1501699f035761714a1d4540d65a1afb7c567abe.tar.gz vcxsrv-1501699f035761714a1d4540d65a1afb7c567abe.tar.bz2 vcxsrv-1501699f035761714a1d4540d65a1afb7c567abe.zip |
Merge remote-tracking branch 'origin/released'
Conflicts:
freetype/src/raster/ftraster.c
openssl/Makefile
Diffstat (limited to 'openssl/crypto/buffer')
-rw-r--r-- | openssl/crypto/buffer/buffer.c | 17 |
1 files changed, 17 insertions, 0 deletions
diff --git a/openssl/crypto/buffer/buffer.c b/openssl/crypto/buffer/buffer.c index f4b358bbb..d7aa79ad7 100644 --- a/openssl/crypto/buffer/buffer.c +++ b/openssl/crypto/buffer/buffer.c @@ -60,6 +60,11 @@ #include "cryptlib.h" #include <openssl/buffer.h> +/* LIMIT_BEFORE_EXPANSION is the maximum n such that (n+3)/3*4 < 2**31. That + * function is applied in several functions in this file and this limit ensures + * that the result fits in an int. */ +#define LIMIT_BEFORE_EXPANSION 0x5ffffffc + BUF_MEM *BUF_MEM_new(void) { BUF_MEM *ret; @@ -105,6 +110,12 @@ int BUF_MEM_grow(BUF_MEM *str, size_t len) str->length=len; return(len); } + /* This limit is sufficient to ensure (len+3)/3*4 < 2**31 */ + if (len > LIMIT_BEFORE_EXPANSION) + { + BUFerr(BUF_F_BUF_MEM_GROW,ERR_R_MALLOC_FAILURE); + return 0; + } n=(len+3)/3*4; if (str->data == NULL) ret=OPENSSL_malloc(n); @@ -142,6 +153,12 @@ int BUF_MEM_grow_clean(BUF_MEM *str, size_t len) str->length=len; return(len); } + /* This limit is sufficient to ensure (len+3)/3*4 < 2**31 */ + if (len > LIMIT_BEFORE_EXPANSION) + { + BUFerr(BUF_F_BUF_MEM_GROW_CLEAN,ERR_R_MALLOC_FAILURE); + return 0; + } n=(len+3)/3*4; if (str->data == NULL) ret=OPENSSL_malloc(n); |