r17221: Add some integer wrap parinoia to data_blob_append().

Andrew Bartlett
(This used to be commit 7c5a25a423da3db982396ac507df985fa934be73)

diff --git a/source4/lib/util/data_blob.c b/source4/lib/util/data_blob.c
index 118d78ca6081a5f0eae3dbdc7f10522feba21c38..3253d52ee7bb8af205e308ab3f277072c1f088f6 100644 (file)
--- a/source4/lib/util/data_blob.c
+++ b/source4/lib/util/data_blob.c
@@ -202,17 +202,30 @@ _PUBLIC_ NTSTATUS data_blob_realloc(TALLOC_CTX *mem_ctx, DATA_BLOB *blob, size_t
        return NT_STATUS_OK;
 }
 
+
 /**
   append some data to a data blob
 **/
 _PUBLIC_ NTSTATUS data_blob_append(TALLOC_CTX *mem_ctx, DATA_BLOB *blob,
                                   const void *p, size_t length)
 {
-       blob->data = talloc_realloc_size(mem_ctx, blob->data,
-                                        blob->length + length);
-       NT_STATUS_HAVE_NO_MEMORY(blob->data);   
-       memcpy(blob->data + blob->length, p, length);
-       blob->length += length;
+       NTSTATUS status;
+       size_t old_len = blob->length;
+       size_t new_len = old_len + length;
+       if (new_len < length || new_len < old_len) {
+               return NT_STATUS_NO_MEMORY;
+       }
+
+       if ((const uint8_t *)p + length < (const uint8_t *)p) {
+               return NT_STATUS_NO_MEMORY;
+       }
+       
+       status = data_blob_realloc(mem_ctx, blob, new_len);
+       if (!NT_STATUS_IS_OK(status)) {
+               return status;
+       }
+
+       memcpy(blob->data + old_len, p, length);
        return NT_STATUS_OK;
 }