Skip to content

Integer Overflow in resize()

In lib/isc/heap.c:resize() of the heap implementation the heap is grown but no integer overflow checks are performed on the addition for new_size or the multiplication for the actual size

static void
resize(isc_heap_t *heap) {
        void **new_array;
        unsigned int new_size;

        REQUIRE(VALID_HEAP(heap));

        new_size = heap->size + heap->size_increment;
        new_array = isc_mem_get(heap->mctx, new_size * sizeof(void *));

We recommend to add an overflow check for the addition and multiplication similar to the check implemented in isc__uv_calloc().

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information