crypto/params_dup.c: add overflow check to ossl_param_buf_alloc

Signed-off-by: Eugene Syromiatnikov <esyr@openssl.org>
2025-07-17 15:10:25 +02:00 · 2025-07-17 15:10:25 +02:00 · d1cdadb43c
parent 19508afc14
commit d1cdadb43c
2 changed files with 8 additions and 2 deletions
--- a/crypto/params_dup.c
+++ b/crypto/params_dup.c
@ -10,6 +10,7 @@
 #include <string.h>
 #include <openssl/params.h>
 #include <openssl/param_build.h>
+#include "internal/check_size_overflow.h"
 #include "internal/param_build_set.h"

 #define OSSL_PARAM_ALLOCATED_END    127
@ -34,7 +35,12 @@ size_t ossl_param_bytes_to_blocks(size_t bytes)
 static int ossl_param_buf_alloc(OSSL_PARAM_BUF *out, size_t extra_blocks,
                                int is_secure)
 {
-    size_t sz = OSSL_PARAM_ALIGN_SIZE * (extra_blocks + out->blocks);
+    size_t sz;
+
+    if (is_size_overflow(extra_blocks + out->blocks, OSSL_PARAM_ALIGN_SIZE, &sz,
+                         OPENSSL_FILE, OPENSSL_LINE)) {
+        return 0;
+    }

    out->alloc = is_secure ? OPENSSL_secure_zalloc(sz) : OPENSSL_zalloc(sz);
    if (out->alloc == NULL)
--- a/ssl/quic/quic_txp.c
+++ b/ssl/quic/quic_txp.c
@ -3160,7 +3160,7 @@ static int txp_el_ensure_iovec(struct txp_el *el, size_t num)

    num = el->alloc_iovec != 0 ? el->alloc_iovec * 2 : 8;

-    iovec = OPENSSL_realloc(el->iovec, sizeof(OSSL_QTX_IOVEC) * num);
+    iovec = OPENSSL_realloc_array(el->iovec, num, sizeof(OSSL_QTX_IOVEC));
    if (iovec == NULL)
        return 0;