Additional robustness to SFTP packet parsing and memory allocation.

[u/mdw/putty] / misc.c

diff --git a/misc.c b/misc.c
index 59e91f2..fea96a9 100644 (file)
--- a/misc.c
+++ b/misc.c
@@ -5,6 +5,7 @@
 #include <stdio.h>
 #include <stdlib.h>
 #include <stdarg.h>
+#include <limits.h>
 #include <ctype.h>
 #include <assert.h>
 #include "putty.h"
@@ -388,14 +389,21 @@ void mlog(char *file, int line)
 }
 #endif
 
-void *safemalloc(size_t size)
+void *safemalloc(size_t n, size_t size)
 {
     void *p;
+
+    if (n > INT_MAX / size) {
+       p = NULL;
+    } else {
+       size *= n;
 #ifdef MINEFIELD
-    p = minefield_c_malloc(size);
+       p = minefield_c_malloc(size);
 #else
-    p = malloc(size);
+       p = malloc(size);
 #endif
+    }
+
     if (!p) {
        char str[200];
 #ifdef MALLOC_LOG
@@ -415,22 +423,29 @@ void *safemalloc(size_t size)
     return p;
 }
 
-void *saferealloc(void *ptr, size_t size)
+void *saferealloc(void *ptr, size_t n, size_t size)
 {
     void *p;
-    if (!ptr) {
+
+    if (n > INT_MAX / size) {
+       p = NULL;
+    } else {
+       size *= n;
+       if (!ptr) {
 #ifdef MINEFIELD
-       p = minefield_c_malloc(size);
+           p = minefield_c_malloc(size);
 #else
-       p = malloc(size);
+           p = malloc(size);
 #endif
-    } else {
+       } else {
 #ifdef MINEFIELD
-       p = minefield_c_realloc(ptr, size);
+           p = minefield_c_realloc(ptr, size);
 #else
-       p = realloc(ptr, size);
+           p = realloc(ptr, size);
 #endif
+       }
     }
+
     if (!p) {
        char str[200];
 #ifdef MALLOC_LOG