Merge branch 'wip/dueno/reallocarray' into 'master'

build: avoid potential integer overflow in array allocation

Closes #1179

See merge request gnutls/gnutls!1392

1 files changed, 16 insertions, 9 deletions

diff --git a/lib/x509/pkcs12.c b/lib/x509/pkcs12.c
index 2dc0823905..965de6fe02 100644
--- a/lib/x509/pkcs12.c
+++ b/lib/x509/pkcs12.c
@@ -37,6 +37,7 @@
 #include "x509_int.h"
 #include "pkcs7_int.h"
 #include <random.h>
+#include "intprops.h"
 
 
 /* Decodes the PKCS #12 auth_safe, and returns the allocated raw data,
@@ -1455,10 +1456,13 @@ static int make_chain(gnutls_x509_crt_t ** chain, unsigned int *chain_len,
 			    != 0)
 				goto skip;
 
-			*chain =
-			    gnutls_realloc_fast(*chain,
-						sizeof((*chain)[0]) *
-						++(*chain_len));
+			if (unlikely(INT_ADD_OVERFLOW(*chain_len, 1))) {
+				return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
+			}
+
+			*chain = _gnutls_reallocarray_fast(*chain,
+							   ++(*chain_len),
+							   sizeof((*chain)[0]));
 			if (*chain == NULL) {
 				gnutls_assert();
 				return GNUTLS_E_MEMORY_ERROR;
@@ -1778,12 +1782,15 @@ gnutls_pkcs12_simple_parse(gnutls_pkcs12_t p12,
 				}
 
 				if (memcmp(cert_id, key_id, cert_id_size) != 0) {	/* they don't match - skip the certificate */
+					if (unlikely(INT_ADD_OVERFLOW(_extra_certs_len, 1))) {
+						ret = gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
+						goto done;
+					}
+
 					_extra_certs =
-						gnutls_realloc_fast
-						(_extra_certs,
-						 sizeof(_extra_certs
-							[0]) *
-						 ++_extra_certs_len);
+						_gnutls_reallocarray_fast(_extra_certs,
+									  ++_extra_certs_len,
+									  sizeof(_extra_certs[0]));
 					if (!_extra_certs) {
 						gnutls_assert();
 						ret =