From 5d6fa331418d49f1bd488553fd1cfa9ab023fabb Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Bj=C3=B6rn=20Esser?= <besser82@fedoraproject.org>
Date: Thu, 14 May 2020 12:32:30 +0200
Subject: Fix CVE-2020-12762.

This commit is a squashed backport of the following commits
on the master branch:

  * 099016b7e8d70a6d5dd814e788bba08d33d48426
  * 77d935b7ae7871a1940cd827e850e6063044ec45
  * d07b91014986900a3a75f306d302e13e005e9d67
  * 519dfe1591d85432986f9762d41d1a883198c157
  * a59d5acfab4485d5133114df61785b1fc633e0c6
  * 26f080997d41cfdb17beab65e90c82217d0ac43b
---
 arraylist.c | 3 +++
 1 file changed, 3 insertions(+)

(limited to 'arraylist.c')

diff --git a/arraylist.c b/arraylist.c
index 12ad8af..e5524ac 100644
--- a/arraylist.c
+++ b/arraylist.c
@@ -136,6 +136,9 @@ int array_list_del_idx(struct array_list *arr, size_t idx, size_t count)
 {
 	size_t i, stop;
 
+	/* Avoid overflow in calculation with large indices. */
+	if (idx > SIZE_T_MAX - count)
+		return -1;
 	stop = idx + count;
 	if (idx >= arr->length || stop > arr->length)
 		return -1;
-- 
cgit v1.2.1