Additional robustness to SFTP packet parsing and memory allocation.

[originally from svn r5358]
2025-06-30 19:12:48 -05:00 · 2005-02-20 10:30:05 +00:00
parent 3c44ce243f
commit 893d187b81
3 changed files with 182 additions and 92 deletions
--- a/misc.c
+++ b/misc.c
@ -5,6 +5,7 @@
 #include <stdio.h>
 #include <stdlib.h>
 #include <stdarg.h>
+#include <limits.h>
 #include <ctype.h>
 #include <assert.h>
 #include "putty.h"
@ -388,14 +389,21 @@ void mlog(char *file, int line)
 }
 #endif

-void *safemalloc(size_t size)
+void *safemalloc(size_t n, size_t size)
 {
    void *p;
+
+    if (n > INT_MAX / size) {
+	p = NULL;
+    } else {
+	size *= n;
 #ifdef MINEFIELD
-    p = minefield_c_malloc(size);
+	p = minefield_c_malloc(size);
 #else
-    p = malloc(size);
+	p = malloc(size);
 #endif
+    }
+
    if (!p) {
 	char str[200];
 #ifdef MALLOC_LOG
@ -415,22 +423,29 @@ void *safemalloc(size_t size)
    return p;
 }

-void *saferealloc(void *ptr, size_t size)
+void *saferealloc(void *ptr, size_t n, size_t size)
 {
    void *p;
-    if (!ptr) {
-#ifdef MINEFIELD
-	p = minefield_c_malloc(size);
-#else
-	p = malloc(size);
-#endif
+
+    if (n > INT_MAX / size) {
+	p = NULL;
    } else {
+	size *= n;
+	if (!ptr) {
 #ifdef MINEFIELD
-	p = minefield_c_realloc(ptr, size);
+	    p = minefield_c_malloc(size);
 #else
-	p = realloc(ptr, size);
+	    p = malloc(size);
 #endif
+	} else {
+#ifdef MINEFIELD
+	    p = minefield_c_realloc(ptr, size);
+#else
+	    p = realloc(ptr, size);
+#endif
+	}
    }
+
    if (!p) {
 	char str[200];
 #ifdef MALLOC_LOG