From 86d54f4f8c4535e663ae706dd270bd80d5af7b99 Mon Sep 17 00:00:00 2001
From: Lennart Poettering <lennart@poettering.net>
Date: Wed, 22 Oct 2014 07:16:37 -0400
Subject: strv: add an additional overflow check when enlarging strv()s

https://bugs.freedesktop.org/show_bug.cgi?id=76745

This also adds:
strv: use realloc_multiply() to check for multiplication overflow
by Michal Schmidt <mschmidt@redhat.com>

This could overflow on 32bit, where size_t is the same as unsigned.

Signed-off-by: Anthony G. Basile <blueness@gentoo.org>
---
 src/shared/strv.c | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

(limited to 'src/shared/strv.c')

diff --git a/src/shared/strv.c b/src/shared/strv.c
index 7c43f256d3..85ae556c16 100644
--- a/src/shared/strv.c
+++ b/src/shared/strv.c
@@ -142,13 +142,19 @@ char **strv_new(const char *x, ...) {
 
 int strv_push(char ***l, char *value) {
         char **c;
-        unsigned n;
+        unsigned n, m;
 
         if (!value)
                 return 0;
 
         n = strv_length(*l);
-        c = realloc(*l, sizeof(char*) * (n + 2));
+
+        /* increase and check for overflow */
+        m = n + 2;
+        if (m < n)
+                return -ENOMEM;
+
+        c = realloc_multiply(*l, sizeof(char*), m);
         if (!c)
                 return -ENOMEM;
 
-- 
cgit v1.2.3-54-g00ecf