From f15683b4b100351e24e305d25bd4785c79ac8f55 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Mon, 6 Dec 2010 21:18:50 +0100
Subject: Validate user supplied size of data items

Specially crafted packages might lead to an integer overflow and the
parsing of the input buffer might not continue as expected. This issue
was identified by Sebastian Krahmer <krahmer@suse.de>.
---
 src/util/util.h | 5 +++++
 1 file changed, 5 insertions(+)

(limited to 'src/util')

diff --git a/src/util/util.h b/src/util/util.h
index f1e11a84..ee229347 100644
--- a/src/util/util.h
+++ b/src/util/util.h
@@ -171,6 +171,11 @@ errno_t set_debug_file_from_fd(const int fd);
 #define OUT_OF_ID_RANGE(id, min, max) \
     (id == 0 || (min && (id < min)) || (max && (id > max)))
 
+#define SIZE_T_MAX ((size_t) -1)
+
+#define SIZE_T_OVERFLOW(current, add) \
+                        (((size_t)(add)) > (SIZE_T_MAX - ((size_t)(current))))
+
 static inline void
 safealign_memcpy(void *dest, const void *src, size_t n, size_t *counter)
 {
-- 
cgit