From: Rusty Russell <rusty@rustcorp.com.au>
Date: Tue, 10 Jun 2014 05:09:34 +0000 (+0930)
Subject: tal/talloc: fix overflow on 64 bit systems
X-Git-Url: http://git.ozlabs.org/?p=ccan;a=commitdiff_plain;h=36c52c260ed076d36a308dc4ea755f965abf0629;ds=sidebyside

tal/talloc: fix overflow on 64 bit systems

Arguably a bug in talloc_realloc_array, which uses an unsigned for
size, resulting in silent truncation and a memcpy into a too-small
buffer.

Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
---

diff --git a/ccan/tal/talloc/talloc.c b/ccan/tal/talloc/talloc.c
index ad21b704..fbe9b384 100644
--- a/ccan/tal/talloc/talloc.c
+++ b/ccan/tal/talloc/talloc.c
@@ -141,6 +141,13 @@ bool tal_talloc_resize_(tal_t **ctxp, size_t size, size_t count)
 		*ctxp = newp;
 		return true;
 	}
+
+	/* count is unsigned, not size_t, so check for overflow here! */
+	if ((unsigned)count != count) {
+		call_error("Resize overflos");
+		return false;
+	}
+
 	newp = _talloc_realloc_array(NULL, *ctxp, size, count, NULL);
 	if (!newp) {
 		call_error("Resize failure");