Fix length calculations in wolfSSL_BUF_MEM_grow_ex and wolfSSL_BUF_MEM_resize.

Also fix a potential overread in wolfSSL_BUF_MEM_grow_ex for the non-realloc case.
Fixes F-5730
This commit is contained in:
Kareem
2026-06-12 12:53:21 -07:00
parent 84f0639257
commit b28490c1cc
+16 -15
View File
@@ -15416,20 +15416,20 @@ WOLFSSL_BUF_MEM* wolfSSL_BUF_MEM_new(void)
int wolfSSL_BUF_MEM_grow_ex(WOLFSSL_BUF_MEM* buf, size_t len,
char zeroFill)
{
int len_int = (int)len;
int mx;
size_t mx;
char* tmp;
/* verify provided arguments */
if (buf == NULL || len_int < 0) {
/* verify provided arguments. The return value is an int holding the
* resulting length, so reject any len that cannot be represented as a
* non-negative int. This also prevents truncating size_t to int. */
if (buf == NULL || len > (size_t)INT_MAX) {
return 0; /* BAD_FUNC_ARG; */
}
/* check to see if fits in existing length */
if (buf->length > len) {
buf->length = len;
return len_int;
return (int)len;
}
/* check to see if fits in max buffer */
@@ -15438,11 +15438,11 @@ int wolfSSL_BUF_MEM_grow_ex(WOLFSSL_BUF_MEM* buf, size_t len,
XMEMSET(&buf->data[buf->length], 0, len - buf->length);
}
buf->length = len;
return len_int;
return (int)len;
}
/* expand size, to handle growth */
mx = (len_int + 3) / 3 * 4;
mx = (len + 3) / 3 * 4;
#ifdef WOLFSSL_NO_REALLOC
tmp = (char*)XMALLOC(mx, NULL, DYNAMIC_TYPE_OPENSSL);
@@ -15463,12 +15463,12 @@ int wolfSSL_BUF_MEM_grow_ex(WOLFSSL_BUF_MEM* buf, size_t len,
}
buf->data = tmp;
buf->max = (size_t)mx;
buf->max = mx;
if (zeroFill)
XMEMSET(&buf->data[buf->length], 0, len - buf->length);
buf->length = len;
return len_int;
return (int)len;
}
@@ -15482,10 +15482,11 @@ int wolfSSL_BUF_MEM_grow(WOLFSSL_BUF_MEM* buf, size_t len)
int wolfSSL_BUF_MEM_resize(WOLFSSL_BUF_MEM* buf, size_t len)
{
char* tmp;
int mx;
size_t mx;
/* verify provided arguments */
if (buf == NULL || len == 0 || (int)len <= 0) {
/* verify provided arguments. The return value is an int, so reject any
* len that cannot be represented as a positive int. */
if (buf == NULL || len == 0 || len > (size_t)INT_MAX) {
return 0; /* BAD_FUNC_ARG; */
}
@@ -15496,7 +15497,7 @@ int wolfSSL_BUF_MEM_resize(WOLFSSL_BUF_MEM* buf, size_t len)
return wolfSSL_BUF_MEM_grow_ex(buf, len, 0);
/* expand size, to handle growth */
mx = ((int)len + 3) / 3 * 4;
mx = (len + 3) / 3 * 4;
/* We want to shrink the internal buffer */
#ifdef WOLFSSL_NO_REALLOC
@@ -15516,7 +15517,7 @@ int wolfSSL_BUF_MEM_resize(WOLFSSL_BUF_MEM* buf, size_t len)
buf->data = tmp;
buf->length = len;
buf->max = (size_t)mx;
buf->max = mx;
return (int)len;
}