From a3545867fcdec50307c776ce0af28d07046a52dd Mon Sep 17 00:00:00 2001
From: "W.C.A. Wijngaards" <wouter@nlnetlabs.nl>
Date: Tue, 19 Nov 2019 16:42:17 +0100
Subject: [PATCH] - Fix Integer Overflow to Buffer Overflow in  
 sldns_str2wire_dname_buf_origin(), reported by X41 D-Sec.

---
 doc/Changelog    | 2 ++
 sldns/str2wire.c | 4 ++++
 2 files changed, 6 insertions(+)

diff --git a/doc/Changelog b/doc/Changelog
index 7398075e1..509b74b87 100644
--- a/doc/Changelog
+++ b/doc/Changelog
@@ -11,6 +11,8 @@
 	  reported by X41 D-Sec.
 	- Fix Integer Overflows in Size Calculations,
 	  reported by X41 D-Sec.
+	- Fix Integer Overflow to Buffer Overflow in
+	  sldns_str2wire_dname_buf_origin(), reported by X41 D-Sec.
 
 18 November 2019: Wouter
 	- In unbound-host use separate variable for get_option to please
diff --git a/sldns/str2wire.c b/sldns/str2wire.c
index 097f62101..f08f107c6 100644
--- a/sldns/str2wire.c
+++ b/sldns/str2wire.c
@@ -150,6 +150,10 @@ int sldns_str2wire_dname_buf_origin(const char* str, uint8_t* buf, size_t* len,
 	if(s) return s;
 
 	if(rel && origin && dlen > 0) {
+		if((unsigned)dlen >= 0x00ffffffU ||
+			(unsigned)origin_len >= 0x00ffffffU)
+			/* guard against integer overflow in addition */
+			return RET_ERR(LDNS_WIREPARSE_ERR_GENERAL, *len);
 		if(dlen + origin_len - 1 > LDNS_MAX_DOMAINLEN)
 			return RET_ERR(LDNS_WIREPARSE_ERR_DOMAINNAME_OVERFLOW,
 				LDNS_MAX_DOMAINLEN);
-- 
2.47.3