From fcb245c46fe15a5062155ba4a69fd2b3327f72df Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Love=20H=C3=B6rnquist=20=C3=85strand?= <lha@kth.se>
Date: Wed, 27 Jun 2007 08:39:07 +0000
Subject: [PATCH] Check for multipication overrun.

git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@21362 ec53bebd-3082-4978-b11e-865c3cabbd6b
---
 lib/asn1/gen_decode.c | 26 +++++++++++++++++++-------
 1 file changed, 19 insertions(+), 7 deletions(-)

diff --git a/lib/asn1/gen_decode.c b/lib/asn1/gen_decode.c
index 567529c85..88c99f010 100644
--- a/lib/asn1/gen_decode.c
+++ b/lib/asn1/gen_decode.c
@@ -394,19 +394,31 @@ decode_type (const char *name, const Type *t, int optional,
 		 "{\n"
 		 "size_t %s_origlen = len;\n"
 		 "size_t %s_oldret = ret;\n"
+		 "size_t %s_olen = 0;\n"
 		 "void *%s_tmp;\n"
 		 "ret = 0;\n"
 		 "(%s)->len = 0;\n"
-		 "(%s)->val = NULL;\n"
+		 "(%s)->val = NULL;\n",
+		 tmpstr,
+		 tmpstr,
+		 tmpstr,
+		 tmpstr,
+		 name,
+		 name);
+
+	fprintf (codefile,
 		 "while(ret < %s_origlen) {\n"
-		 "%s_tmp = realloc((%s)->val, "
-		 "    sizeof(*((%s)->val)) * ((%s)->len + 1));\n"
-		 "if (%s_tmp == NULL) { %s; }\n"
+		 "size_t %s_nlen = %s_olen + sizeof(*((%s)->val));\n"
+		 "if (%s_olen > %s_nlen) { e = ASN1_OVERFLOW; %s; }\n"
+		 "%s_olen = %s_nlen;\n"
+		 "%s_tmp = realloc((%s)->val, %s_olen);\n"
+		 "if (%s_tmp == NULL) { e = ENOMEM; %s; }\n"
 		 "(%s)->val = %s_tmp;\n",
-		 tmpstr, tmpstr, tmpstr,
-		 name, name,
+		 tmpstr,
+		 tmpstr, tmpstr, name,
+		 tmpstr, tmpstr, forwstr,
 		 tmpstr, tmpstr,
-		 name, name, name,
+		 tmpstr, name, tmpstr,
 		 tmpstr, forwstr, 
 		 name, tmpstr);