From: Tony Finch <fanf@isc.org>
Date: Tue, 6 Jun 2023 14:20:44 +0000 (+0100)
Subject: Check for overflow in jemalloc_shim
X-Git-Tag: v9.19.15~15^2~2
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=14f5b79c74727305bb0ae2498b7f259dad5fa8c4;p=thirdparty%2Fbind9.git

Check for overflow in jemalloc_shim

When compiled using a malloc that lacks an equivalent to sallocx(),
the jemalloc_shim adds a size prefix to each allocation. We must check
that this does not overflow.

Closes #4121
---

diff --git a/lib/isc/jemalloc_shim.h b/lib/isc/jemalloc_shim.h
index 0edb09267d9..94df92418b5 100644
--- a/lib/isc/jemalloc_shim.h
+++ b/lib/isc/jemalloc_shim.h
@@ -118,7 +118,8 @@ static inline void *
 mallocx(size_t size, int flags) {
 	void *ptr = NULL;
 
-	size_info *si = malloc(size + sizeof(*si));
+	size_t bytes = ISC_CHECKED_ADD(size, sizeof(size_info));
+	size_info *si = malloc(bytes);
 	INSIST(si != NULL);
 
 	si->size = size;