Make sure to limit max alloc size

see https://www.qualys.com/2020/05/19/cve-2005-1513/remote-code-execution-qmail.txt
author: manuel <manuel@mausz.at> 2020-05-19 23:59:38 +0200
committer: manuel <manuel@mausz.at> 2020-05-19 23:59:38 +0200
commit: 0f0e11b3d64ad562016d5c21dadbce74cc70c5f9 (patch)
tree: 02552111ef549609ace513f08325f4f3c7c2c4ea
parent: f2ef25deb1aa356d41cdd3f6e46d9a68c48bfce0 (diff)
download: qmail-0f0e11b3d64ad562016d5c21dadbce74cc70c5f9.tar.gz
qmail-0f0e11b3d64ad562016d5c21dadbce74cc70c5f9.tar.bz2
qmail-0f0e11b3d64ad562016d5c21dadbce74cc70c5f9.zip
1 files changed, 5 insertions, 0 deletions
diff --git a/alloc.c b/alloc.c
index 48a109b..11fe431 100644
--- a/alloc.c
+++ b/alloc.c
@@ -1,3 +1,4 @@
+#include <limits.h>
 #include "alloc.h"
 #include "error.h"
 #include <stdlib.h>
@@ -14,6 +15,10 @@ static unsigned int avail = SPACE; /* multiple of ALIGNMENT; 0<=avail<=SPACE */
 unsigned int n;
 {
  char *x;
+  if (n >= (INT_MAX >> 3)) {
+    errno = error_nomem;
+    return 0;
+  }
  n = ALIGNMENT + n - (n & (ALIGNMENT - 1)); /* XXX: could overflow */
  if (n <= avail) { avail -= n; return space + avail; }
  x = malloc(n);
author	manuel <manuel@mausz.at>	2020-05-19 23:59:38 +0200
committer	manuel <manuel@mausz.at>	2020-05-19 23:59:38 +0200
commit	0f0e11b3d64ad562016d5c21dadbce74cc70c5f9 (patch)
tree	02552111ef549609ace513f08325f4f3c7c2c4ea
parent	f2ef25deb1aa356d41cdd3f6e46d9a68c48bfce0 (diff)
download	qmail-0f0e11b3d64ad562016d5c21dadbce74cc70c5f9.tar.gz qmail-0f0e11b3d64ad562016d5c21dadbce74cc70c5f9.tar.bz2 qmail-0f0e11b3d64ad562016d5c21dadbce74cc70c5f9.zip