From c047a88f41ffed47e2eb422f8efb594aae80d61e Mon Sep 17 00:00:00 2001
From: Andrew Bartlett <abartlet@samba.org>
Date: Tue, 25 Jul 2006 00:53:03 +0000
Subject: r17221: Add some integer wrap parinoia to data_blob_append().

Andrew Bartlett
(This used to be commit 7c5a25a423da3db982396ac507df985fa934be73)
---
 source4/lib/util/data_blob.c | 23 ++++++++++++++++++-----
 1 file changed, 18 insertions(+), 5 deletions(-)

(limited to 'source4/lib/util')

diff --git a/source4/lib/util/data_blob.c b/source4/lib/util/data_blob.c
index 118d78ca60..3253d52ee7 100644
--- a/source4/lib/util/data_blob.c
+++ b/source4/lib/util/data_blob.c
@@ -202,17 +202,30 @@ _PUBLIC_ NTSTATUS data_blob_realloc(TALLOC_CTX *mem_ctx, DATA_BLOB *blob, size_t
 	return NT_STATUS_OK;
 }
 
+
 /**
   append some data to a data blob
 **/
 _PUBLIC_ NTSTATUS data_blob_append(TALLOC_CTX *mem_ctx, DATA_BLOB *blob,
 				   const void *p, size_t length)
 {
-	blob->data = talloc_realloc_size(mem_ctx, blob->data,
-					 blob->length + length);
-	NT_STATUS_HAVE_NO_MEMORY(blob->data);	
-	memcpy(blob->data + blob->length, p, length);
-	blob->length += length;
+	NTSTATUS status;
+	size_t old_len = blob->length;
+	size_t new_len = old_len + length;
+	if (new_len < length || new_len < old_len) {
+		return NT_STATUS_NO_MEMORY;
+	}
+
+	if ((const uint8_t *)p + length < (const uint8_t *)p) {
+		return NT_STATUS_NO_MEMORY;
+	}
+	
+	status = data_blob_realloc(mem_ctx, blob, new_len);
+	if (!NT_STATUS_IS_OK(status)) {
+		return status;
+	}
+
+	memcpy(blob->data + old_len, p, length);
 	return NT_STATUS_OK;
 }
 
-- 
cgit