Skip to content
Permalink
Browse files Browse the repository at this point in the history
SECURITY: Integer overflow in pointer validation.
  • Loading branch information
kentonv committed Mar 2, 2015
1 parent 3a71746 commit f343f0d
Showing 1 changed file with 4 additions and 3 deletions.
7 changes: 4 additions & 3 deletions c++/src/capnp/layout.c++
Expand Up @@ -685,7 +685,8 @@ struct WireHelpers {
return result;
}

KJ_REQUIRE(elementTag->structRef.wordSize() / ELEMENTS * count <= wordCount,
KJ_REQUIRE(elementTag->structRef.wordSize() / ELEMENTS *
ElementCount64(count) <= wordCount,
"Struct list pointer's elements overran size.") {
return result;
}
Expand Down Expand Up @@ -1663,7 +1664,7 @@ struct WireHelpers {
ElementCount elementCount = tag->inlineCompositeListElementCount();
auto wordsPerElement = tag->structRef.wordSize() / ELEMENTS;

KJ_REQUIRE(wordsPerElement * elementCount <= wordCount,
KJ_REQUIRE(wordsPerElement * ElementCount64(elementCount) <= wordCount,
"INLINE_COMPOSITE list's elements overrun its word count.") {
goto useDefault;
}
Expand Down Expand Up @@ -1919,7 +1920,7 @@ struct WireHelpers {
size = tag->inlineCompositeListElementCount();
wordsPerElement = tag->structRef.wordSize() / ELEMENTS;

KJ_REQUIRE(size * wordsPerElement <= wordCount,
KJ_REQUIRE(ElementCount64(size) * wordsPerElement <= wordCount,
"INLINE_COMPOSITE list's elements overrun its word count.") {
goto useDefault;
}
Expand Down

0 comments on commit f343f0d

Please sign in to comment.