From a980446d0cf8f455c49f6543bd8486b442e326b1 Mon Sep 17 00:00:00 2001
From: Nick Mathewson <nickm@torproject.org>
Date: Thu, 2 Dec 2004 04:33:01 +0000
Subject: [PATCH] Be more proactive about noticing underflows: size_t values
 greater than 0x800...00 are likely to be trouble.

svn:r3064
---
 src/common/compat.c | 2 ++
 src/common/crypto.c | 6 ++++++
 src/common/torint.h | 3 +++
 src/common/util.c   | 9 ++++++++-
 4 files changed, 19 insertions(+), 1 deletion(-)

diff --git a/src/common/compat.c b/src/common/compat.c
index e025bff207..128ff4a2bb 100644
--- a/src/common/compat.c
+++ b/src/common/compat.c
@@ -100,6 +100,8 @@ int tor_vsnprintf(char *str, size_t size, const char *format, va_list args)
   int r;
   if (size == 0)
     return -1; /* no place for the NUL */
+  if (size > SIZE_T_CEILING)
+    return -1;
 #ifdef MS_WINDOWS
   r = _vsnprintf(str, size, format, args);
 #else
diff --git a/src/common/crypto.c b/src/common/crypto.c
index a299a0ea13..6d4533b5da 100644
--- a/src/common/crypto.c
+++ b/src/common/crypto.c
@@ -1520,6 +1520,8 @@ base64_encode(char *dest, size_t destlen, const char *src, size_t srclen)
   */
   if (destlen < ((srclen/48)+1)*66)
     return -1;
+  if (destlen > SIZE_T_CEILING)
+    return -1;
 
   EVP_EncodeInit(&ctx);
   EVP_EncodeUpdate(&ctx, dest, &len, (char*) src, srclen);
@@ -1543,6 +1545,8 @@ base64_decode(char *dest, size_t destlen, const char *src, size_t srclen)
   */
   if (destlen < ((srclen/64)+1)*49)
     return -1;
+  if (destlen > SIZE_T_CEILING)
+    return -1;
 
   EVP_DecodeInit(&ctx);
   EVP_DecodeUpdate(&ctx, dest, &len, (char*) src, srclen);
@@ -1562,6 +1566,7 @@ base32_encode(char *dest, size_t destlen, const char *src, size_t srclen)
 
   tor_assert((nbits%5) == 0); /* We need an even multiple of 5 bits. */
   tor_assert((nbits/5)+1 <= destlen); /* We need enough space. */
+  tor_assert(destlen < SIZE_T_CEILING);
 
   for (i=0,bit=0; bit < nbits; ++i, bit+=5) {
     /* set v to the 16-bit value starting at src[bits/8], 0-padded. */
@@ -1588,6 +1593,7 @@ secret_to_key(char *key_out, size_t key_out_len, const char *secret,
   uint8_t c;
   size_t count;
   char *tmp;
+  tor_assert(key_out_len < SIZE_T_CEILING);
 
 #define EXPBIAS 6
   c = s2k_specifier[8];
diff --git a/src/common/torint.h b/src/common/torint.h
index af2775a8cb..1973db0d81 100644
--- a/src/common/torint.h
+++ b/src/common/torint.h
@@ -232,5 +232,8 @@ typedef uint32_t uintptr_t;
 #endif
 #endif
 
+/* Any size_t larger than this amount is likely to be an underflow. */
+#define SIZE_T_CEILING (1u<<(sizeof(size_t)*8 - 1))
+
 #endif /* __TORINT_H */
 
diff --git a/src/common/util.c b/src/common/util.c
index 169dbf14bd..dd6ff289ee 100644
--- a/src/common/util.c
+++ b/src/common/util.c
@@ -18,6 +18,7 @@ const char util_c_id[] = "$Id$";
 #include "util.h"
 #include "log.h"
 #include "crypto.h"
+#include "torint.h"
 
 #ifdef MS_WINDOWS
 #include <io.h>
@@ -218,6 +219,8 @@ int tor_strpartition(char *dest, size_t dest_len,
   tor_assert(s);
   tor_assert(insert);
   tor_assert(n > 0);
+  tor_assert(n < SIZE_T_CEILING);
+  tor_assert(dest_len < SIZE_T_CEILING);
   len_in = strlen(s);
   len_ins = strlen(insert);
   len_out = len_in + (len_in/n)*len_ins;
@@ -444,6 +447,7 @@ void base16_encode(char *dest, size_t destlen, const char *src, size_t srclen)
   char *cp;
 
   tor_assert(destlen >= srclen*2+1);
+  tor_assert(destlen < SIZE_T_CEILING);
 
   cp = dest;
   end = src+srclen;
@@ -477,7 +481,7 @@ int base16_decode(char *dest, size_t destlen, const char *src, size_t srclen)
   int v1,v2;
   if ((srclen % 2) != 0)
     return -1;
-  if (destlen < srclen/2)
+  if (destlen < srclen/2 || destlen > SIZE_T_CEILING)
     return -1;
   end = src+srclen;
   while (src<end) {
@@ -703,6 +707,9 @@ int read_all(int fd, char *buf, size_t count, int isSocket) {
   size_t numread = 0;
   int result;
 
+  if (count > SIZE_T_CEILING)
+    return -1;
+
   while (numread != count) {
     if (isSocket)
       result = recv(fd, buf+numread, count-numread, 0);