From: Tony Finch <fanf@isc.org>
Date: Tue, 6 Jun 2023 14:24:02 +0000 (+0100)
Subject: Check for overflow when resizing a heap
X-Git-Tag: v9.19.15~15^2~1
X-Git-Url: http://git.ipfire.org/gitweb/index.cgi?a=commitdiff_plain;h=e2eaefbf7ab423805f4122de9ee0b93000bf8a80;p=thirdparty%2Fbind9.git

Check for overflow when resizing a heap

Ensure that the heap size calculations produce the correct answers,
and use `isc_mem_reget()` instead of calling `get` and `put`.

Closes #4122
---

diff --git a/lib/isc/heap.c b/lib/isc/heap.c
index 7b0cc288541..816b80db87b 100644
--- a/lib/isc/heap.c
+++ b/lib/isc/heap.c
@@ -26,6 +26,7 @@
 #include <isc/heap.h>
 #include <isc/magic.h>
 #include <isc/mem.h>
+#include <isc/overflow.h>
 #include <isc/string.h> /* Required for memmove. */
 #include <isc/util.h>
 
@@ -123,20 +124,17 @@ isc_heap_destroy(isc_heap_t **heapp) {
 
 static void
 resize(isc_heap_t *heap) {
-	void **new_array;
-	unsigned int new_size;
+	unsigned int new_size, new_bytes, old_bytes;
 
 	REQUIRE(VALID_HEAP(heap));
 
-	new_size = heap->size + heap->size_increment;
-	new_array = isc_mem_get(heap->mctx, new_size * sizeof(void *));
-	if (heap->array != NULL) {
-		memmove(new_array, heap->array, heap->size * sizeof(void *));
-		isc_mem_put(heap->mctx, heap->array,
-			    heap->size * sizeof(void *));
-	}
+	new_size = ISC_CHECKED_ADD(heap->size, heap->size_increment);
+	new_bytes = ISC_CHECKED_MUL(new_size, sizeof(void *));
+	old_bytes = ISC_CHECKED_MUL(heap->size, sizeof(void *));
+
 	heap->size = new_size;
-	heap->array = new_array;
+	heap->array = isc_mem_reget(heap->mctx, heap->array, old_bytes,
+				    new_bytes);
 }
 
 static void