From: Daiki Ueno <ueno@gnu.org>
Date: Sun, 18 Oct 2020 05:25:42 +0000 (+0200)
Subject: serv: peer_print_info: add overflow check on realloc
X-Git-Tag: 3.7.0~19^2~5^2~3
X-Git-Url: http://git.ipfire.org/gitweb/?a=commitdiff_plain;h=7f9eb884aa17665278b0f87a60153a8a3b6f450e;p=thirdparty%2Fgnutls.git

serv: peer_print_info: add overflow check on realloc

Signed-off-by: Daiki Ueno <ueno@gnu.org>
---

diff --git a/bootstrap.conf b/bootstrap.conf
index 36b6d58f8e..387c4f8d51 100644
--- a/bootstrap.conf
+++ b/bootstrap.conf
@@ -36,7 +36,7 @@ unictype/category-all unictype/property-default-ignorable-code-point unictype/pr
 "
 
 src_modules="
-accept bind close connect getaddrinfo getpass gettext-h arpa_inet inet_ntop inet_pton inttypes listen linked-list minmax parse-datetime progname read-file recv recvfrom select send sendto servent setsockopt shutdown socket sockets socklen xalloc xlist
+accept bind close connect getaddrinfo getpass gettext-h arpa_inet inet_ntop inet_pton inttypes listen linked-list minmax parse-datetime progname read-file recv recvfrom select send sendto servent setsockopt shutdown socket sockets socklen xalloc xlist xsize
 "
 
 # Build prerequisites
diff --git a/src/serv.c b/src/serv.c
index 629c398529..add0ee4065 100644
--- a/src/serv.c
+++ b/src/serv.c
@@ -50,6 +50,7 @@
 #include "read-file.h"
 #include "sockets.h"
 #include "xalloc.h"
+#include "xsize.h"
 
 /* konqueror cannot handle sending the page in multiple
  * pieces.
@@ -562,7 +563,7 @@ static char *peer_print_info(gnutls_session_t session, int *ret_length,
 	char *http_buffer, *desc;
 	gnutls_kx_algorithm_t kx_alg;
 	size_t len = 20 * 1024 + strlen(header);
-	char *crtinfo = NULL, *crtinfo_old = NULL;
+	char *crtinfo = NULL;
 	gnutls_protocol_t version;
 	size_t ncrtinfo = 0;
 
@@ -600,17 +601,22 @@ static char *peer_print_info(gnutls_session_t session, int *ret_length,
 			    && gnutls_x509_crt_print(cert,
 						     GNUTLS_CRT_PRINT_FULL,
 						     &info) == 0) {
-				const char *post = "</PRE><P><PRE>";
+				const char post[] = "</PRE><P><PRE>";
+				char *crtinfo_new;
+				size_t ncrtinfo_new;
 				
-				crtinfo_old = crtinfo;
-				crtinfo =
-				    realloc(crtinfo,
-					    ncrtinfo + info.size +
-					    strlen(post) + 1);
-				if (crtinfo == NULL) {
-					free(crtinfo_old);
+				ncrtinfo_new = xsum3(ncrtinfo, info.size,
+						     sizeof(post));
+				if (size_overflow_p(ncrtinfo_new)) {
+					free(crtinfo);
 					return NULL;
 				}
+				crtinfo_new = realloc(crtinfo, ncrtinfo_new);
+				if (crtinfo_new == NULL) {
+					free(crtinfo);
+					return NULL;
+				}
+				crtinfo = crtinfo_new;
 				memcpy(crtinfo + ncrtinfo, info.data,
 				       info.size);
 				ncrtinfo += info.size;