From 352824d95f4331a3396e0b78dd0b855324b3cc82 Mon Sep 17 00:00:00 2001
From: Nick Mathewson <nickm@torproject.org>
Date: Tue, 19 Feb 2008 22:08:01 +0000
Subject:  r18214@catbus:  nickm | 2008-02-19 17:07:55 -0500  Backport to
 0.1.2.x: Add some checks in torgzip.c to make sure we never overflow size_t
 there.  Also make sure we do not realloc(list,0) in container.c.

svn:r13588
---
 src/common/container.c |  2 ++
 src/common/torgzip.c   | 14 ++++++++++++--
 2 files changed, 14 insertions(+), 2 deletions(-)

(limited to 'src')

diff --git a/src/common/container.c b/src/common/container.c
index 36234743ac..88f96d05f6 100644
--- a/src/common/container.c
+++ b/src/common/container.c
@@ -65,6 +65,8 @@ smartlist_set_capacity(smartlist_t *sl, int n)
 {
   if (n < sl->num_used)
     n = sl->num_used;
+  if (n < 1)
+    n = 1;
   if (sl->capacity != n) {
     sl->capacity = n;
     sl->list = tor_realloc(sl->list, sizeof(void*)*sl->capacity);
diff --git a/src/common/torgzip.c b/src/common/torgzip.c
index 5a1e1e8a0b..5216cfece0 100644
--- a/src/common/torgzip.c
+++ b/src/common/torgzip.c
@@ -70,7 +70,7 @@ tor_gzip_compress(char **out, size_t *out_len,
                   compress_method_t method)
 {
   struct z_stream_s *stream = NULL;
-  size_t out_size;
+  size_t out_size, old_size;
   off_t offset;
 
   tor_assert(out);
@@ -118,7 +118,12 @@ tor_gzip_compress(char **out, size_t *out_len,
           break;
       case Z_BUF_ERROR:
         offset = stream->next_out - ((unsigned char*)*out);
+        old_size = out_size;
         out_size *= 2;
+        if (out_size < old_size) {
+          log_warn(LD_GENERAL, "Size overflow in compression.");
+          goto err;
+        }
         *out = tor_realloc(*out, out_size);
         stream->next_out = (unsigned char*)(*out + offset);
         if (out_size - offset > UINT_MAX) {
@@ -173,7 +178,7 @@ tor_gzip_uncompress(char **out, size_t *out_len,
                     int protocol_warn_level)
 {
   struct z_stream_s *stream = NULL;
-  size_t out_size;
+  size_t out_size, old_size;
   off_t offset;
   int r;
 
@@ -240,7 +245,12 @@ tor_gzip_uncompress(char **out, size_t *out_len,
           goto err;
         }
         offset = stream->next_out - (unsigned char*)*out;
+        old_size = out_size;
         out_size *= 2;
+        if (out_size < old_size) {
+          log_warn(LD_GENERAL, "Size overflow in compression.");
+          goto err;
+        }
         *out = tor_realloc(*out, out_size);
         stream->next_out = (unsigned char*)(*out + offset);
         if (out_size - offset > UINT_MAX) {
-- 
cgit v1.2.3-54-g00ecf