From 49923ccb2143e36850bcdeb781e2bcdf5ce22f15 Mon Sep 17 00:00:00 2001

From: John Hawthorn <john@hawthorn.email>

Date: Wed, 2 Mar 2022 14:17:59 -0800

Subject: [PATCH] Check need < buf->used

We're guaranteed a power of 2 so that this becomes 0, but we might as

well use a check for overflow that works in more cases.

Unsigned integer overflow is defined behaviour, so this should be safe.

(cherry picked from commit 36410d536b676e836637bb20574a56ebc920eb83)

---

 src/yajl_buf.c | 9 +++++++--

 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/src/yajl_buf.c b/src/yajl_buf.c

index 1aeafde0..8bd1bea7 100644

--- a/src/yajl_buf.c

+++ b/src/yajl_buf.c

@@ -30,7 +30,7 @@ struct yajl_buf_t {

 };

 static

-void yajl_buf_ensure_available(yajl_buf buf, size_t want)

+int yajl_buf_ensure_available(yajl_buf buf, size_t want)

 {

     size_t need;

@@ -46,11 +46,15 @@ void yajl_buf_ensure_available(yajl_buf buf, size_t want)

     need = buf->len;

     while (want >= (need - buf->used)) need <<= 1;

+    if (need < buf->used) {

+         return -1;

+    }

     if (need != buf->len) {

         buf->data = (unsigned char *) YA_REALLOC(buf->alloc, buf->data, need);

         buf->len = need;

     }

+    return 0;

 }

 yajl_buf yajl_buf_alloc(yajl_alloc_funcs * alloc)

@@ -70,7 +74,8 @@ void yajl_buf_free(yajl_buf buf)

 void yajl_buf_append(yajl_buf buf, const void * data, size_t len)

 {

-    yajl_buf_ensure_available(buf, len);

+    if (yajl_buf_ensure_available(buf, len))

+        return;

     if (len > 0) {

         assert(data != NULL);

         memcpy(buf->data + buf->used, data, len);