diff options
| author | Eric Hawicz <erh+git@nimenees.com> | 2020-05-15 21:05:30 -0400 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2020-05-15 21:05:30 -0400 |
| commit | f2b7d0b5cbd0eccf4fb3c1851ec0864952be1057 (patch) | |
| tree | 4a107b9f34da1184a5f54f17b89f50d3d7a5f134 /linkhash.c | |
| parent | 0e1d83f980288ab9bda6b316c0d6df6b28a0688a (diff) | |
| parent | 74accb17cde1b88794b2b764cabaaf1f0858656c (diff) | |
| download | json-c-0.12.tar.gz | |
Merge pull request #611 from besser82/topic/besser82/json-c-0.12/CVE-2020-12762json-c-0.12
json-c-0.12.x: Fix CVE-2020-12762 - json-c through 0.14 has an integer overflow and out-of-bounds write ...
Diffstat (limited to 'linkhash.c')
| -rw-r--r-- | linkhash.c | 12 |
1 files changed, 11 insertions, 1 deletions
@@ -10,6 +10,7 @@ * */ +#include <assert.h> #include <stdio.h> #include <string.h> #include <stdlib.h> @@ -431,6 +432,8 @@ struct lh_table* lh_table_new(int size, const char *name, int i; struct lh_table *t; + /* Allocate space for elements to avoid divisions by zero. */ + assert(size > 0); t = (struct lh_table*)calloc(1, sizeof(struct lh_table)); if(!t) lh_abort("lh_table_new: calloc failed\n"); t->count = 0; @@ -495,7 +498,14 @@ int lh_table_insert(struct lh_table *t, void *k, const void *v) unsigned long h, n; t->inserts++; - if(t->count >= t->size * LH_LOAD_FACTOR) lh_table_resize(t, t->size * 2); + if (t->count >= t->size * LH_LOAD_FACTOR) { + /* Avoid signed integer overflow with large tables. */ + int new_size = (t->size > INT_MAX / 2) ? INT_MAX : (t->size * 2); + if (t->size == INT_MAX) + return -1; + + lh_table_resize(t, new_size); + } h = t->hash_fn(k); n = h % t->size; |