x509: avoid integer overflow when escaping DN

author Daiki Ueno <ueno@gnu.org>

Fri, 16 Jan 2026 02:26:21 +0000 (11:26 +0900)

committer Alexander Sosedkin <asosedkin@redhat.com>

Mon, 9 Feb 2026 11:59:26 +0000 (12:59 +0100)
author Daiki Ueno <ueno@gnu.org>
Fri, 16 Jan 2026 02:26:21 +0000 (11:26 +0900)
committer Alexander Sosedkin <asosedkin@redhat.com>
Mon, 9 Feb 2026 11:59:26 +0000 (12:59 +0100)
diff --git a/lib/x509/common.c b/lib/x509/common.c

index 5a4d7246f6d2eb67254585b924a82c353ca10b9b..d63b40f3580ceb0c476b752bb53c20f4f14fed05 100644 (file)
--- a/lib/x509/common.c
+++ b/lib/x509/common.c
@@ -31,6 +31,7 @@
  #include "num.h"
  #include "x509_b64.h"
  #include <c-strcase.h>
+#include "intprops.h"
  #include "x509_int.h"
  #include "extras/hex.h"
  #include "common.h"
@@ -176,13 +177,18 @@ static int str_escape(const gnutls_datum_t *str, gnutls_datum_t *escaped)
  {
         unsigned int j, i;
         uint8_t *buffer = NULL;
+       size_t size;
         int ret;
  
         if (str == NULL)
                 return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
  
         /* the string will be at most twice the original */
-       buffer = gnutls_malloc(str->size * 2 + 2);
+       if (!INT_MULTIPLY_OK(str->size, 2, &size) ||
+           !INT_ADD_OK(size, 2, &size))
+               return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
+
+       buffer = gnutls_malloc(size);
         if (buffer == NULL)
                 return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
author	Daiki Ueno <ueno@gnu.org>
	Fri, 16 Jan 2026 02:26:21 +0000 (11:26 +0900)
committer	Alexander Sosedkin <asosedkin@redhat.com>
	Mon, 9 Feb 2026 11:59:26 +0000 (12:59 +0100)