From: James Jones <jejones3141@gmail.com>
Date: Fri, 12 Jul 2024 17:19:14 +0000 (-0500)
Subject: Deal with unlikely overflows in minmax_heap_extend() (CID #1604610)
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=e455c7737ee3fe43409b305cf42e6f0ab767f535;p=thirdparty%2Ffreeradius-server.git

Deal with unlikely overflows in minmax_heap_extend() (CID #1604610)

Since n_size is sometimes set to UINT_MAX, the size calculation in
talloc_realloc() may overflow as written; ditto for the failure
error message.
---

diff --git a/src/lib/util/minmax_heap.c b/src/lib/util/minmax_heap.c
index 3ffddc51569..f7256c103ab 100644
--- a/src/lib/util/minmax_heap.c
+++ b/src/lib/util/minmax_heap.c
@@ -171,10 +171,10 @@ static CC_HINT(nonnull) int minmax_heap_expand(fr_minmax_heap_t *hp)
 		n_size = 2 * h->size;
 	}
 
-	h = (minmax_heap_t *)talloc_realloc(hp, h, uint8_t, sizeof(minmax_heap_t) + (sizeof(void *) * (n_size + 1)));
+	h = (minmax_heap_t *)talloc_realloc(hp, h, uint8_t, sizeof(minmax_heap_t) + (sizeof(void *) * ((size_t)n_size + 1)));
 	if (unlikely(!h)) {
-		fr_strerror_printf("Failed expanding heap to %u elements (%u bytes)",
-				   n_size, (n_size * (unsigned int)sizeof(void *)));
+		fr_strerror_printf("Failed expanding heap to %u elements (%zu bytes)",
+				   n_size, (n_size * sizeof(void *)));
 		return -1;
 	}