1 files changed, 17 insertions, 58 deletions
diff --git a/src/lib/libcrypto/buffer/buffer.c b/src/lib/libcrypto/buffer/buffer.c
index 620ea8d536..d7aa79ad7f 100644
--- a/src/lib/libcrypto/buffer/buffer.c
+++ b/src/lib/libcrypto/buffer/buffer.c
@@ -60,6 +60,11 @@
 #include "cryptlib.h"
 #include <openssl/buffer.h>
+/* LIMIT_BEFORE_EXPANSION is the maximum n such that (n+3)/3*4 < 2**31. That
+ * function is applied in several functions in this file and this limit ensures
+ * that the result fits in an int. */
+#define LIMIT_BEFORE_EXPANSION 0x5ffffffc
 BUF_MEM *BUF_MEM_new(void)
        {
        BUF_MEM *ret;
@@ -105,6 +110,12 @@ int BUF_MEM_grow(BUF_MEM *str, size_t len)
                str->length=len;
                return(len);
                }
+        /* This limit is sufficient to ensure (len+3)/3*4 < 2**31 */
+        if (len > LIMIT_BEFORE_EXPANSION)
+                {
+                BUFerr(BUF_F_BUF_MEM_GROW,ERR_R_MALLOC_FAILURE);
+                return 0;
+                }
        n=(len+3)/3*4;
        if (str->data == NULL)
                ret=OPENSSL_malloc(n);
@@ -142,6 +153,12 @@ int BUF_MEM_grow_clean(BUF_MEM *str, size_t len)
                str->length=len;
                return(len);
                }
+        /* This limit is sufficient to ensure (len+3)/3*4 < 2**31 */
+        if (len > LIMIT_BEFORE_EXPANSION)
+                {
+                BUFerr(BUF_F_BUF_MEM_GROW_CLEAN,ERR_R_MALLOC_FAILURE);
+                return 0;
+                }
        n=(len+3)/3*4;
        if (str->data == NULL)
                ret=OPENSSL_malloc(n);
@@ -162,64 +179,6 @@ int BUF_MEM_grow_clean(BUF_MEM *str, size_t len)
        return(len);
        }
-char *BUF_strdup(const char *str)
-        {
-        if (str == NULL) return(NULL);
-        return BUF_strndup(str, strlen(str));
-        }
-char *BUF_strndup(const char *str, size_t siz)
-        {
-        char *ret;
-        if (str == NULL) return(NULL);
-        ret=OPENSSL_malloc(siz+1);
-        if (ret == NULL) 
-                {
-                BUFerr(BUF_F_BUF_STRNDUP,ERR_R_MALLOC_FAILURE);
-                return(NULL);
-                }
-        BUF_strlcpy(ret,str,siz+1);
-        return(ret);
-        }
-void *BUF_memdup(const void *data, size_t siz)
-        {
-        void *ret;
-        if (data == NULL) return(NULL);
-        ret=OPENSSL_malloc(siz);
-        if (ret == NULL) 
-                {
-                BUFerr(BUF_F_BUF_MEMDUP,ERR_R_MALLOC_FAILURE);
-                return(NULL);
-                }
-        return memcpy(ret, data, siz);
-        }       
-size_t BUF_strlcpy(char *dst, const char *src, size_t size)
-        {
-        size_t l = 0;
-        for(; size > 1 && *src; size--)
-                {
-                *dst++ = *src++;
-                l++;
-                }
-        if (size)
-                *dst = '\0';
-        return l + strlen(src);
-        }
-size_t BUF_strlcat(char *dst, const char *src, size_t size)
-        {
-        size_t l = 0;
-        for(; size > 0 && *dst; size--, dst++)
-                l++;
-        return l + BUF_strlcpy(dst, src, size);
-        }
 void BUF_reverse(unsigned char *out, unsigned char *in, size_t size)
        {
        size_t i;

diff --git a/src/lib/libcrypto/buffer/buffer.c b/src/lib/libcrypto/buffer/buffer.c index 620ea8d536..d7aa79ad7f 100644 --- a/src/lib/libcrypto/buffer/buffer.c +++ b/src/lib/libcrypto/buffer/buffer.c
@@ -60,6 +60,11 @@
60	#include "cryptlib.h"	60	#include "cryptlib.h"
61	#include <openssl/buffer.h>	61	#include <openssl/buffer.h>
62		62
		63	/* LIMIT_BEFORE_EXPANSION is the maximum n such that (n+3)/34 < 2*31. That
		64	* function is applied in several functions in this file and this limit ensures
		65	* that the result fits in an int. */
		66	#define LIMIT_BEFORE_EXPANSION 0x5ffffffc
		67
63	BUF_MEM *BUF_MEM_new(void)	68	BUF_MEM *BUF_MEM_new(void)
64	{	69	{
65	BUF_MEM *ret;	70	BUF_MEM *ret;
@@ -105,6 +110,12 @@ int BUF_MEM_grow(BUF_MEM *str, size_t len)
105	str->length=len;	110	str->length=len;
106	return(len);	111	return(len);
107	}	112	}
		113	/* This limit is sufficient to ensure (len+3)/34 < 231 /
		114	if (len > LIMIT_BEFORE_EXPANSION)
		115	{
		116	BUFerr(BUF_F_BUF_MEM_GROW,ERR_R_MALLOC_FAILURE);
		117	return 0;
		118	}
108	n=(len+3)/3*4;	119	n=(len+3)/3*4;
109	if (str->data == NULL)	120	if (str->data == NULL)
110	ret=OPENSSL_malloc(n);	121	ret=OPENSSL_malloc(n);
@@ -142,6 +153,12 @@ int BUF_MEM_grow_clean(BUF_MEM *str, size_t len)
142	str->length=len;	153	str->length=len;
143	return(len);	154	return(len);
144	}	155	}
		156	/* This limit is sufficient to ensure (len+3)/34 < 231 /
		157	if (len > LIMIT_BEFORE_EXPANSION)
		158	{
		159	BUFerr(BUF_F_BUF_MEM_GROW_CLEAN,ERR_R_MALLOC_FAILURE);
		160	return 0;
		161	}
145	n=(len+3)/3*4;	162	n=(len+3)/3*4;
146	if (str->data == NULL)	163	if (str->data == NULL)
147	ret=OPENSSL_malloc(n);	164	ret=OPENSSL_malloc(n);
@@ -162,64 +179,6 @@ int BUF_MEM_grow_clean(BUF_MEM *str, size_t len)
162	return(len);	179	return(len);
163	}	180	}
164		181
165	char BUF_strdup(const char str)
166	{
167	if (str == NULL) return(NULL);
168	return BUF_strndup(str, strlen(str));
169	}
170
171	char BUF_strndup(const char str, size_t siz)
172	{
173	char *ret;
174
175	if (str == NULL) return(NULL);
176
177	ret=OPENSSL_malloc(siz+1);
178	if (ret == NULL)
179	{
180	BUFerr(BUF_F_BUF_STRNDUP,ERR_R_MALLOC_FAILURE);
181	return(NULL);
182	}
183	BUF_strlcpy(ret,str,siz+1);
184	return(ret);
185	}
186
187	void BUF_memdup(const void data, size_t siz)
188	{
189	void *ret;
190
191	if (data == NULL) return(NULL);
192
193	ret=OPENSSL_malloc(siz);
194	if (ret == NULL)
195	{
196	BUFerr(BUF_F_BUF_MEMDUP,ERR_R_MALLOC_FAILURE);
197	return(NULL);
198	}
199	return memcpy(ret, data, siz);
200	}
201
202	size_t BUF_strlcpy(char dst, const char src, size_t size)
203	{
204	size_t l = 0;
205	for(; size > 1 && *src; size--)
206	{
207	dst++ = src++;
208	l++;
209	}
210	if (size)
211	*dst = '\0';
212	return l + strlen(src);
213	}
214
215	size_t BUF_strlcat(char dst, const char src, size_t size)
216	{
217	size_t l = 0;
218	for(; size > 0 && *dst; size--, dst++)
219	l++;
220	return l + BUF_strlcpy(dst, src, size);
221	}
222
223	void BUF_reverse(unsigned char out, unsigned char in, size_t size)	182	void BUF_reverse(unsigned char out, unsigned char in, size_t size)
224	{	183	{
225	size_t i;	184	size_t i;