aboutsummaryrefslogtreecommitdiffstats
path: root/src
diff options
context:
space:
mode:
authorJack Lloyd <[email protected]>2016-02-13 10:45:59 -0500
committerJack Lloyd <[email protected]>2016-02-13 10:45:59 -0500
commit3dce8fa3fc4d60746c13a8c2d21f82961eb3b2c0 (patch)
treec51ea572bea7c081809279eb92c73434ad9eb1fe /src
parent25e2e7880768c14fd22d09ebdd2786f8eb8f500d (diff)
In compression wrappers add an overflow check before calling malloc
If malloc fails, don't save the size that was attempted. Otherwise a failing malloc followed by a free(nullptr) would zero a block of memory equal to the failed allocation starting from the null address. It's not clear if zlib,bzip2,lzma expect the return of the malloc function to be zero but LZMA at least seems to read from it before writing. Zero it.
Diffstat (limited to 'src')
-rw-r--r--src/lib/compression/compression.cpp24
1 files changed, 21 insertions, 3 deletions
diff --git a/src/lib/compression/compression.cpp b/src/lib/compression/compression.cpp
index fc2c6192a..178de245f 100644
--- a/src/lib/compression/compression.cpp
+++ b/src/lib/compression/compression.cpp
@@ -14,10 +14,28 @@ namespace Botan {
void* Compression_Alloc_Info::do_malloc(size_t n, size_t size)
{
- const size_t total_sz = n * size;
+ const size_t total_size = n * size;
+
+ BOTAN_ASSERT_EQUAL(total_size / size, n, "Overflow check");
+
+ // TODO maximum length check here?
+
+ void* ptr = std::malloc(total_size);
+
+ /*
+ * Return null rather than throwing here as we are being called by a
+ * C library and it may not be possible for an exception to unwind
+ * the call stack from here. The compression library is expecting a
+ * function written in C and a null return on error, which it will
+ * send upwards to the compression wrappers.
+ */
+
+ if(ptr)
+ {
+ std::memset(ptr, 0, total_size);
+ m_current_allocs[ptr] = total_size;
+ }
- void* ptr = std::malloc(total_sz);
- m_current_allocs[ptr] = total_sz;
return ptr;
}