Arguably a bug in talloc_realloc_array, which uses an unsigned for
size, resulting in silent truncation and a memcpy into a too-small
buffer.
Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
*ctxp = newp;
return true;
}
*ctxp = newp;
return true;
}
+
+ /* count is unsigned, not size_t, so check for overflow here! */
+ if ((unsigned)count != count) {
+ call_error("Resize overflos");
+ return false;
+ }
+
newp = _talloc_realloc_array(NULL, *ctxp, size, count, NULL);
if (!newp) {
call_error("Resize failure");
newp = _talloc_realloc_array(NULL, *ctxp, size, count, NULL);
if (!newp) {
call_error("Resize failure");