diff options
author | Evan Huus <eapache@gmail.com> | 2014-08-03 17:48:06 -0400 |
---|---|---|
committer | Bill Meier <wmeier@newsguy.com> | 2014-08-04 00:08:19 +0000 |
commit | efb8a1ee4319593dc14b8a42068f2cfddea1bff5 (patch) | |
tree | fc85ef331f79b8c74e34cff787dcdf238047bbba /epan/wmem | |
parent | 5b9acdaf613a74a413077c9338ac0822121ad2df (diff) |
Check for multiplicative overflow in the wmem_alloc_array macros.
Bug:10343
Change-Id: Iea511c806b92999b3b497f94886c46a818100a23
Reviewed-on: https://code.wireshark.org/review/3396
Reviewed-by: Bill Meier <wmeier@newsguy.com>
Diffstat (limited to 'epan/wmem')
-rw-r--r-- | epan/wmem/wmem_core.h | 7 |
1 files changed, 5 insertions, 2 deletions
diff --git a/epan/wmem/wmem_core.h b/epan/wmem/wmem_core.h index a3007965cf..231d508713 100644 --- a/epan/wmem/wmem_core.h +++ b/epan/wmem/wmem_core.h @@ -88,6 +88,9 @@ G_GNUC_MALLOC; #define wmem_new(allocator, type) \ ((type*)wmem_alloc((allocator), sizeof(type))) +#define wmem_safe_mult(A, B) \ + ((((B) > 0) && ((A) > (G_MAXSSIZE / (B)))) ? 0 : ((A) * (B))) + /** Allocate memory sufficient to hold n objects of the given type. * * @param allocator The allocator object to use to allocate the memory. @@ -96,7 +99,7 @@ G_GNUC_MALLOC; * @return A void pointer to the newly allocated memory. */ #define wmem_alloc_array(allocator, type, num) \ - ((type*)wmem_alloc((allocator), sizeof(type) * (num))) + ((type*)wmem_alloc((allocator), wmem_safe_mult(sizeof(type), num))) /** Allocate the requested amount of memory in the given pool. Initializes the * allocated memory with zeroes. @@ -129,7 +132,7 @@ G_GNUC_MALLOC; * @return A void pointer to the newly allocated and zeroed memory. */ #define wmem_alloc0_array(allocator, type, num) \ - ((type*)wmem_alloc0((allocator), sizeof(type) * (num))) + ((type*)wmem_alloc0((allocator), wmem_safe_mult(sizeof(type), (num)))) /** Returns the allocated memory to the allocator. This function should only * be called directly by allocators when the allocated block is sufficiently |