bufq: add integer overflow checks before chunk allocations

author Cole Leavitt <coleleavitt@protonmail.com>

Thu, 31 Jul 2025 05:19:01 +0000 (22:19 -0700)

committer Daniel Stenberg <daniel@haxx.se>

Thu, 31 Jul 2025 08:07:11 +0000 (10:07 +0200)
author Cole Leavitt <coleleavitt@protonmail.com>
Thu, 31 Jul 2025 05:19:01 +0000 (22:19 -0700)
committer Daniel Stenberg <daniel@haxx.se>
Thu, 31 Jul 2025 08:07:11 +0000 (10:07 +0200)
diff --git a/lib/bufq.c b/lib/bufq.c

index 8783619eed0bbac55c0a1b7aee3c2deb913f693b..9919707b4c58c1f08878724a0f876cc7ba7c7f27 100644 (file)
--- a/lib/bufq.c
+++ b/lib/bufq.c
@@ -174,6 +174,12 @@ static CURLcode bufcp_take(struct bufc_pool *pool,
      return CURLE_OK;
    }
  
+  /* Check for integer overflow before allocation */
+  if(pool->chunk_size > SIZE_MAX - sizeof(*chunk)) {
+    *pchunk = NULL;
+    return CURLE_OUT_OF_MEMORY;
+  }
+
    chunk = calloc(1, sizeof(*chunk) + pool->chunk_size);
    if(!chunk) {
      *pchunk = NULL;
@@ -302,6 +308,11 @@ static struct buf_chunk *get_spare(struct bufq *q)
      return chunk;
    }
    else {
+    /* Check for integer overflow before allocation */
+    if(q->chunk_size > SIZE_MAX - sizeof(*chunk)) {
+      return NULL;
+    }
+
      chunk = calloc(1, sizeof(*chunk) + q->chunk_size);
      if(!chunk)
        return NULL;
author	Cole Leavitt <coleleavitt@protonmail.com>
	Thu, 31 Jul 2025 05:19:01 +0000 (22:19 -0700)
committer	Daniel Stenberg <daniel@haxx.se>
	Thu, 31 Jul 2025 08:07:11 +0000 (10:07 +0200)