Add check preventing integer multiplication wrapping around in scratch_max_allocation

2019-07-12 09:56:56 +00:00 · 2019-07-12 09:56:56 +00:00 · 4edaf06fb0
commit 4edaf06fb0
parent fa33017135
2 changed files with 12 additions and 0 deletions
--- a/src/scratch_impl.h
+++ b/src/scratch_impl.h
@ -60,6 +60,10 @@ static size_t secp256k1_scratch_max_allocation(const secp256k1_callback* error_c
        secp256k1_callback_call(error_callback, "invalid scratch space");
        return 0;
    }
+    /* Ensure that multiplication will not wrap around */
+    if (ALIGNMENT > 1 && objects > SIZE_MAX/(ALIGNMENT - 1)) {
+        return 0;
+    }
    if (scratch->max_size - scratch->alloc_size <= objects * (ALIGNMENT - 1)) {
        return 0;
    }
--- a/src/tests.c
+++ b/src/tests.c
@ -400,6 +400,14 @@ void run_scratch_tests(void) {
    secp256k1_scratch_space_destroy(none, scratch);
    CHECK(ecount == 5);

+    /* Test that large integers do not wrap around in a bad way */
+    scratch = secp256k1_scratch_space_create(none, 1000);
+    /* Try max allocation with a large number of objects. Only makes sense if
+     * ALIGNMENT is greater than 1 because otherwise the objects take no extra
+     * space. */
+    CHECK(ALIGNMENT <= 1 || !secp256k1_scratch_max_allocation(&none->error_callback, scratch, (SIZE_MAX / (ALIGNMENT - 1)) + 1));
+    secp256k1_scratch_space_destroy(none, scratch);
+
    /* cleanup */
    secp256k1_scratch_space_destroy(none, NULL); /* no-op */
    secp256k1_context_destroy(none);