From f789b04f407c2003da62d2b91b587629f1a781d0 Mon Sep 17 00:00:00 2001 From: Matt Caswell Date: Fri, 23 Sep 2016 16:41:50 +0100 Subject: [PATCH] Fix a WPACKET bug MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit If we request more bytes to be allocated than double what we have already written, then we grow the buffer by the wrong amount. Reviewed-by: Emilia Käsper --- ssl/packet.c | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/ssl/packet.c b/ssl/packet.c index 0e8e8764dd..4077de5c33 100644 --- a/ssl/packet.c +++ b/ssl/packet.c @@ -24,12 +24,16 @@ int WPACKET_allocate_bytes(WPACKET *pkt, size_t len, unsigned char **allocbytes) if (pkt->buf->length - pkt->written < len) { size_t newlen; + size_t reflen; - if (pkt->buf->length > SIZE_MAX / 2) { + reflen = (len > pkt->buf->length) ? len : pkt->buf->length; + + if (reflen > SIZE_MAX / 2) { newlen = SIZE_MAX; } else { - newlen = (pkt->buf->length == 0) ? DEFAULT_BUF_SIZE - : pkt->buf->length * 2; + newlen = reflen * 2; + if (newlen < DEFAULT_BUF_SIZE) + newlen = DEFAULT_BUF_SIZE; } if (BUF_MEM_grow(pkt->buf, newlen) == 0) return 0; -- 2.25.1