From 74accb17cde1b88794b2b764cabaaf1f0858656c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Bj=C3=B6rn=20Esser?= <besser82@fedoraproject.org>
Date: Fri, 15 May 2020 20:38:40 +0200
Subject: Fix CVE-2020-12762.

This commit is a squashed and slightly modified backport
of the following commits on the master branch:

  * 77d935b
  * d07b910
  * 519dfe1
  * a59d5ac
---
 linkhash.c | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

(limited to 'linkhash.c')

diff --git a/linkhash.c b/linkhash.c
index 8791a42..6543e17 100644
--- a/linkhash.c
+++ b/linkhash.c
@@ -10,6 +10,7 @@
  *
  */
 
+#include <assert.h>
 #include <stdio.h>
 #include <string.h>
 #include <stdlib.h>
@@ -431,6 +432,8 @@ struct lh_table* lh_table_new(int size, const char *name,
 	int i;
 	struct lh_table *t;
 
+	/* Allocate space for elements to avoid divisions by zero. */
+	assert(size > 0);
 	t = (struct lh_table*)calloc(1, sizeof(struct lh_table));
 	if(!t) lh_abort("lh_table_new: calloc failed\n");
 	t->count = 0;
@@ -495,7 +498,14 @@ int lh_table_insert(struct lh_table *t, void *k, const void *v)
 	unsigned long h, n;
 
 	t->inserts++;
-	if(t->count >= t->size * LH_LOAD_FACTOR) lh_table_resize(t, t->size * 2);
+	if (t->count >= t->size * LH_LOAD_FACTOR) {
+		/* Avoid signed integer overflow with large tables. */
+		int new_size = (t->size > INT_MAX / 2) ? INT_MAX : (t->size * 2);
+		if (t->size == INT_MAX)
+			return -1;
+
+		lh_table_resize(t, new_size);
+	}
 
 	h = t->hash_fn(k);
 	n = h % t->size;
-- 
cgit v1.2.1