From 5d6fa331418d49f1bd488553fd1cfa9ab023fabb Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Bj=C3=B6rn=20Esser?= <besser82@fedoraproject.org>
Date: Thu, 14 May 2020 12:32:30 +0200
Subject: Fix CVE-2020-12762.

This commit is a squashed backport of the following commits
on the master branch:

  * 099016b7e8d70a6d5dd814e788bba08d33d48426
  * 77d935b7ae7871a1940cd827e850e6063044ec45
  * d07b91014986900a3a75f306d302e13e005e9d67
  * 519dfe1591d85432986f9762d41d1a883198c157
  * a59d5acfab4485d5133114df61785b1fc633e0c6
  * 26f080997d41cfdb17beab65e90c82217d0ac43b
---
 linkhash.c | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

(limited to 'linkhash.c')

diff --git a/linkhash.c b/linkhash.c
index 7ea58c0..b021ef1 100644
--- a/linkhash.c
+++ b/linkhash.c
@@ -12,6 +12,7 @@
 
 #include "config.h"
 
+#include <assert.h>
 #include <limits.h>
 #include <stdarg.h>
 #include <stddef.h>
@@ -499,6 +500,8 @@ struct lh_table *lh_table_new(int size, lh_entry_free_fn *free_fn, lh_hash_fn *h
 	int i;
 	struct lh_table *t;
 
+	/* Allocate space for elements to avoid divisions by zero. */
+	assert(size > 0);
 	t = (struct lh_table *)calloc(1, sizeof(struct lh_table));
 	if (!t)
 		return NULL;
@@ -578,8 +581,12 @@ int lh_table_insert_w_hash(struct lh_table *t, const void *k, const void *v, con
 	unsigned long n;
 
 	if (t->count >= t->size * LH_LOAD_FACTOR)
-		if (lh_table_resize(t, t->size * 2) != 0)
+	{
+		/* Avoid signed integer overflow with large tables. */
+		int new_size = (t->size > INT_MAX / 2) ? INT_MAX : (t->size * 2);
+		if (t->size == INT_MAX || lh_table_resize(t, new_size) != 0)
 			return -1;
+	}
 
 	n = h % t->size;
 
-- 
cgit v1.2.1