From bca7083e8285e8e6a4377076a7e432417eafc6d2 Mon Sep 17 00:00:00 2001
From: Nick Mathewson <nickm@torproject.org>
Date: Wed, 27 Jan 2016 12:26:02 -0500
Subject: avoid integer overflow in and around smartlist_ensure_capacity.

This closes bug 18162; bugfix on a45b1315909c9, which fixed a related
issue long ago.

In addition to the #18162 issues, this fixes a signed integer overflow
in smarltist_add_all(), which is probably not so great either.
---
 changes/bug18162 | 7 +++++++
 1 file changed, 7 insertions(+)
 create mode 100644 changes/bug18162

(limited to 'changes')

diff --git a/changes/bug18162 b/changes/bug18162
new file mode 100644
index 0000000000..0844d6f62f
--- /dev/null
+++ b/changes/bug18162
@@ -0,0 +1,7 @@
+  o Major bugfixes (security, pointers):
+
+    - Avoid a difficult-to-trigger heap corruption attack when extending
+      a smartlist to contain over 16GB of pointers. Fixes bug #18162;
+      bugfix on Tor 0.1.1.11-alpha, which fixed a related bug
+      incompletely. Reported by Guido Vranken.
+
-- 
cgit v1.2.3-54-g00ecf