Author: upstream & Thorsten Alteholz Description: fix for latest security issues Index: tnef-1.4.12/src/alloc.c =================================================================== --- tnef-1.4.12.orig/src/alloc.c 2017-03-29 12:48:17.715743232 +0200 +++ tnef-1.4.12/src/alloc.c 2017-03-29 12:48:17.711743020 +0200 @@ -40,14 +40,23 @@ return alloc_limit; } +size_t +check_mul_overflow(size_t a, size_t b, size_t* res) +{ + size_t tmp = a * b; + if (a != 0 && tmp / a != b) return 1; + *res = tmp; + return 0; +} + static void alloc_limit_failure (char *fn_name, size_t size) { - fprintf (stderr, + fprintf (stderr, "%s: Maximum allocation size exceeded " "(maxsize = %lu; size = %lu).\n", fn_name, - (unsigned long)alloc_limit, + (unsigned long)alloc_limit, (unsigned long)size); } @@ -56,17 +65,21 @@ { if (alloc_limit && size > alloc_limit) { - alloc_limit_failure (fn_name, size); - exit (-1); + alloc_limit_failure (fn_name, size); + exit (-1); } } /* attempts to malloc memory, if fails print error and call abort */ void* -xmalloc (size_t size) +xmalloc (size_t num, size_t size) { - void *ptr = malloc (size); - if (!ptr + size_t res; + if (check_mul_overflow(num, size, &res)) + abort(); + + void *ptr = malloc (res); + if (!ptr && (size != 0)) /* some libc don't like size == 0 */ { perror ("xmalloc: Memory allocation failure"); @@ -77,20 +90,29 @@ /* Allocates memory but only up to a limit */ void* -checked_xmalloc (size_t size) +checked_xmalloc (size_t num, size_t size) { - alloc_limit_assert ("checked_xmalloc", size); - return xmalloc (size); + size_t res; + if (check_mul_overflow(num, size, &res)) + abort(); + + alloc_limit_assert ("checked_xmalloc", res); + return xmalloc (num, size); } /* xmallocs memory and clears it out */ void* xcalloc (size_t num, size_t size) { - void *ptr = malloc(num * size); + size_t res; + if (check_mul_overflow(num, size, &res)) + abort(); + + void *ptr; + ptr = malloc(res); if (ptr) { - memset (ptr, '\0', (num * size)); + memset (ptr, '\0', (res)); } return ptr; } @@ -99,9 +121,10 @@ void* checked_xcalloc (size_t num, size_t size) { - alloc_limit_assert ("checked_xcalloc", (num *size)); + size_t res; + if (check_mul_overflow(num, size, &res)) + abort(); + + alloc_limit_assert ("checked_xcalloc", (res)); return xcalloc (num, size); } - - - Index: tnef-1.4.12/src/alloc.h =================================================================== --- tnef-1.4.12.orig/src/alloc.h 2017-03-29 12:48:17.715743232 +0200 +++ tnef-1.4.12/src/alloc.h 2017-03-29 12:48:17.711743020 +0200 @@ -35,20 +35,20 @@ extern void set_alloc_limit (size_t size); extern size_t get_alloc_limit(); extern void alloc_limit_assert (char *fn_name, size_t size); -extern void* checked_xmalloc (size_t size); -extern void* xmalloc (size_t size); +extern void* checked_xmalloc (size_t num, size_t size); +extern void* xmalloc (size_t num, size_t size); extern void* checked_xcalloc (size_t num, size_t size); extern void* xcalloc (size_t num, size_t size); #define XMALLOC(_type,_num) \ - ((_type*)xmalloc((_num)*sizeof(_type))) + ((_type*)xmalloc((_num), sizeof(_type))) #define XCALLOC(_type,_num) \ ((_type*)xcalloc((_num), sizeof (_type))) #define CHECKED_XMALLOC(_type,_num) \ - ((_type*)checked_xmalloc((_num)*sizeof(_type))) + ((_type*)checked_xmalloc((_num),sizeof(_type))) #define CHECKED_XCALLOC(_type,_num) \ ((_type*)checked_xcalloc((_num),sizeof(_type))) #define XFREE(_ptr) \ - do { if (_ptr) { free (_ptr); _ptr = 0; } } while (0) + do { if (_ptr) { free (_ptr); _ptr = 0; } } while (0) #endif /* ALLOC_H */