Check for multiplicative overflow in the wmem_alloc_array macros.

Bug:10343 Change-Id: Iea511c806b92999b3b497f94886c46a818100a23 Reviewed-on: https://code.wireshark.org/review/3396 Reviewed-by: Bill Meier <wmeier@newsguy.com>
2014-08-03 17:48:06 -04:00 · 2014-08-03 17:48:06 -04:00 · efb8a1ee43
parent 5b9acdaf61
commit efb8a1ee43
1 changed files with 5 additions and 2 deletions
--- a/epan/wmem/wmem_core.h
+++ b/epan/wmem/wmem_core.h
@ -88,6 +88,9 @@ G_GNUC_MALLOC;
 #define wmem_new(allocator, type) \
    ((type*)wmem_alloc((allocator), sizeof(type)))

+#define wmem_safe_mult(A, B) \
+    ((((B) > 0) && ((A) > (G_MAXSSIZE / (B)))) ? 0 : ((A) * (B)))
+
 /** Allocate memory sufficient to hold n objects of the given type.
 *
 * @param allocator The allocator object to use to allocate the memory.
@ -96,7 +99,7 @@ G_GNUC_MALLOC;
 * @return A void pointer to the newly allocated memory.
 */
 #define wmem_alloc_array(allocator, type, num) \
-    ((type*)wmem_alloc((allocator), sizeof(type) * (num)))
+    ((type*)wmem_alloc((allocator), wmem_safe_mult(sizeof(type), num)))

 /** Allocate the requested amount of memory in the given pool. Initializes the
 * allocated memory with zeroes.
@ -129,7 +132,7 @@ G_GNUC_MALLOC;
 * @return A void pointer to the newly allocated and zeroed memory.
 */
 #define wmem_alloc0_array(allocator, type, num) \
-    ((type*)wmem_alloc0((allocator), sizeof(type) * (num)))
+    ((type*)wmem_alloc0((allocator), wmem_safe_mult(sizeof(type), (num))))

 /** Returns the allocated memory to the allocator. This function should only
 * be called directly by allocators when the allocated block is sufficiently