mirror of
https://github.com/wolfSSL/wolfssl.git
synced 2026-07-11 03:40:50 +02:00
Fix length calculations in wolfSSL_BUF_MEM_grow_ex and wolfSSL_BUF_MEM_resize.
Also fix a potential overread in wolfSSL_BUF_MEM_grow_ex for the non-realloc case. Fixes F-5730
This commit is contained in:
@@ -15416,20 +15416,20 @@ WOLFSSL_BUF_MEM* wolfSSL_BUF_MEM_new(void)
|
||||
int wolfSSL_BUF_MEM_grow_ex(WOLFSSL_BUF_MEM* buf, size_t len,
|
||||
char zeroFill)
|
||||
{
|
||||
|
||||
int len_int = (int)len;
|
||||
int mx;
|
||||
size_t mx;
|
||||
char* tmp;
|
||||
|
||||
/* verify provided arguments */
|
||||
if (buf == NULL || len_int < 0) {
|
||||
/* verify provided arguments. The return value is an int holding the
|
||||
* resulting length, so reject any len that cannot be represented as a
|
||||
* non-negative int. This also prevents truncating size_t to int. */
|
||||
if (buf == NULL || len > (size_t)INT_MAX) {
|
||||
return 0; /* BAD_FUNC_ARG; */
|
||||
}
|
||||
|
||||
/* check to see if fits in existing length */
|
||||
if (buf->length > len) {
|
||||
buf->length = len;
|
||||
return len_int;
|
||||
return (int)len;
|
||||
}
|
||||
|
||||
/* check to see if fits in max buffer */
|
||||
@@ -15438,11 +15438,11 @@ int wolfSSL_BUF_MEM_grow_ex(WOLFSSL_BUF_MEM* buf, size_t len,
|
||||
XMEMSET(&buf->data[buf->length], 0, len - buf->length);
|
||||
}
|
||||
buf->length = len;
|
||||
return len_int;
|
||||
return (int)len;
|
||||
}
|
||||
|
||||
/* expand size, to handle growth */
|
||||
mx = (len_int + 3) / 3 * 4;
|
||||
mx = (len + 3) / 3 * 4;
|
||||
|
||||
#ifdef WOLFSSL_NO_REALLOC
|
||||
tmp = (char*)XMALLOC(mx, NULL, DYNAMIC_TYPE_OPENSSL);
|
||||
@@ -15463,12 +15463,12 @@ int wolfSSL_BUF_MEM_grow_ex(WOLFSSL_BUF_MEM* buf, size_t len,
|
||||
}
|
||||
buf->data = tmp;
|
||||
|
||||
buf->max = (size_t)mx;
|
||||
buf->max = mx;
|
||||
if (zeroFill)
|
||||
XMEMSET(&buf->data[buf->length], 0, len - buf->length);
|
||||
buf->length = len;
|
||||
|
||||
return len_int;
|
||||
return (int)len;
|
||||
|
||||
}
|
||||
|
||||
@@ -15482,10 +15482,11 @@ int wolfSSL_BUF_MEM_grow(WOLFSSL_BUF_MEM* buf, size_t len)
|
||||
int wolfSSL_BUF_MEM_resize(WOLFSSL_BUF_MEM* buf, size_t len)
|
||||
{
|
||||
char* tmp;
|
||||
int mx;
|
||||
size_t mx;
|
||||
|
||||
/* verify provided arguments */
|
||||
if (buf == NULL || len == 0 || (int)len <= 0) {
|
||||
/* verify provided arguments. The return value is an int, so reject any
|
||||
* len that cannot be represented as a positive int. */
|
||||
if (buf == NULL || len == 0 || len > (size_t)INT_MAX) {
|
||||
return 0; /* BAD_FUNC_ARG; */
|
||||
}
|
||||
|
||||
@@ -15496,7 +15497,7 @@ int wolfSSL_BUF_MEM_resize(WOLFSSL_BUF_MEM* buf, size_t len)
|
||||
return wolfSSL_BUF_MEM_grow_ex(buf, len, 0);
|
||||
|
||||
/* expand size, to handle growth */
|
||||
mx = ((int)len + 3) / 3 * 4;
|
||||
mx = (len + 3) / 3 * 4;
|
||||
|
||||
/* We want to shrink the internal buffer */
|
||||
#ifdef WOLFSSL_NO_REALLOC
|
||||
@@ -15516,7 +15517,7 @@ int wolfSSL_BUF_MEM_resize(WOLFSSL_BUF_MEM* buf, size_t len)
|
||||
|
||||
buf->data = tmp;
|
||||
buf->length = len;
|
||||
buf->max = (size_t)mx;
|
||||
buf->max = mx;
|
||||
|
||||
return (int)len;
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user