From bb92ea678c2a2a524d2ee6e9d598275a659168d2 Mon Sep 17 00:00:00 2001
From: Rolf Eike Beer <eike@sf-mail.de>
Date: Mon, 11 May 2020 18:30:13 +0200
Subject: [PATCH 3/4] mimimum fix for CVE-2005-1513

The first allocation at the tail of the function is not changed as that
one starts with a small number of elements and grows only on
subsequent call.s
---
 gen_allocdefs.h | 27 ++++++++++++++++++++++-----
 1 file changed, 22 insertions(+), 5 deletions(-)

diff --git a/gen_allocdefs.h b/gen_allocdefs.h
index 783a9b1..0588441 100644
--- a/gen_allocdefs.h
+++ b/gen_allocdefs.h
@@ -4,24 +4,41 @@
 #define GEN_ALLOC_ready(ta,type,field,len,a,i,n,x,base,ta_ready) \
 int ta_ready(x,n) register ta *x; register unsigned int n; \
 { register unsigned int i; \
+  unsigned int nlen; \
   if (x->field) { \
     i = x->a; \
     if (n > i) { \
-      x->a = base + n + (n >> 3); \
-      if (alloc_re(&x->field,i * sizeof(type),x->a * sizeof(type))) return 1; \
+      unsigned int nnum; \
+      if (__builtin_add_overflow(base, n, &nlen)) \
+        return 0; \
+      if (__builtin_add_overflow(nlen, n >> 3, &nlen)) \
+        return 0; \
+      if (__builtin_mul_overflow(nlen, sizeof(type), &nnum)) \
+        return 0; \
+      x->a = nlen; \
+      if (alloc_re(&x->field,i * sizeof(type),nnum)) return 1; \
       x->a = i; return 0; } \
     return 1; } \
   x->len = 0; \
   return !!(x->field = (type *) alloc((x->a = n) * sizeof(type))); }
 
 #define GEN_ALLOC_readyplus(ta,type,field,len,a,i,n,x,base,ta_rplus) \
-int ta_rplus(x,n) register ta *x; register unsigned int n; \
+int ta_rplus(x,n) register ta *x; unsigned int n; \
 { register unsigned int i; \
   if (x->field) { \
     i = x->a; n += x->len; \
+    if (__builtin_add_overflow(n, x->len, &n)) \
+      return 0; \
     if (n > i) { \
-      x->a = base + n + (n >> 3); \
-      if (alloc_re(&x->field,i * sizeof(type),x->a * sizeof(type))) return 1; \
+      unsigned int nlen, nnum; \
+      if (__builtin_add_overflow(base, n, &nlen)) \
+        return 0; \
+      if (__builtin_add_overflow(nlen, n >> 3, &nlen)) \
+        return 0; \
+      if (__builtin_mul_overflow(nlen, sizeof(type), &nnum)) \
+        return 0; \
+      x->a = nlen; \
+      if (alloc_re(&x->field,i * sizeof(type),nnum)) return 1; \
       x->a = i; return 0; } \
     return 1; } \
   x->len = 0; \
-- 
2.26.1