tal/talloc: fix overflow on 64 bit systems

Arguably a bug in talloc_realloc_array, which uses an unsigned for size, resulting in silent truncation and a memcpy into a too-small buffer. Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>

tal/talloc: fix overflow on 64 bit systems
Arguably a bug in talloc_realloc_array, which uses an unsigned for size, resulting in silent truncation and a memcpy into a too-small buffer. Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
36c52c26 · Rusty Russell · 7207c782 · 36c52c26
Commit 36c52c26 authored Jun 10, 2014 by Rusty Russell
Hide whitespace changes
Inline Side-by-side

Showing with 7 additions and 0 deletions

ccan/tal/talloc/talloc.c ccan/tal/talloc/talloc.c +7 -0

No files found.
--- a/ccan/tal/talloc/talloc.c
+++ b/ccan/tal/talloc/talloc.c
@@ -141,6 +141,13 @@ bool tal_talloc_resize_(tal_t **ctxp, size_t size, size_t count)
 		*ctxp = newp;
 		return true;
 	}
+
+	/* count is unsigned, not size_t, so check for overflow here! */
+	if ((unsigned)count != count) {
+		call_error("Resize overflos");
+		return false;
+	}
+
 	newp = _talloc_realloc_array(NULL, *ctxp, size, count, NULL);
 	if (!newp) {
 		call_error("Resize failure");