Add check preventing integer multiplication wrapping around in scratch_max_allocation

jonasnick · jonasnick · commit 4edaf06fb02a · 2019-07-30T15:54:31.000Z
diff --git a/src/scratch_impl.h b/src/scratch_impl.h
@@ -60,6 +60,10 @@ static size_t secp256k1_scratch_max_allocation(const secp256k1_callback* error_c
         secp256k1_callback_call(error_callback, "invalid scratch space");
         return 0;
     }
+    /* Ensure that multiplication will not wrap around */
+    if (ALIGNMENT > 1 && objects > SIZE_MAX/(ALIGNMENT - 1)) {
+        return 0;
+    }
     if (scratch->max_size - scratch->alloc_size <= objects * (ALIGNMENT - 1)) {
         return 0;
     }
diff --git a/src/tests.c b/src/tests.c
@@ -400,6 +400,14 @@ void run_scratch_tests(void) {
     secp256k1_scratch_space_destroy(none, scratch);
     CHECK(ecount == 5);
 
+    /* Test that large integers do not wrap around in a bad way */
+    scratch = secp256k1_scratch_space_create(none, 1000);
+    /* Try max allocation with a large number of objects. Only makes sense if
+     * ALIGNMENT is greater than 1 because otherwise the objects take no extra
+     * space. */
+    CHECK(ALIGNMENT <= 1 || !secp256k1_scratch_max_allocation(&none->error_callback, scratch, (SIZE_MAX / (ALIGNMENT - 1)) + 1));
+    secp256k1_scratch_space_destroy(none, scratch);
+
     /* cleanup */
     secp256k1_scratch_space_destroy(none, NULL); /* no-op */
     secp256k1_context_destroy(none);

Original file line number	Diff line number	Diff line change
`@@ -60,6 +60,10 @@ static size_t secp256k1_scratch_max_allocation(const secp256k1_callback* error_c`
`60`	`60`	`secp256k1_callback_call(error_callback, "invalid scratch space");`
`61`	`61`	`return 0;`
`62`	`62`	`}`
	`63`	`+ /* Ensure that multiplication will not wrap around */`
	`64`	`+ if (ALIGNMENT > 1 && objects > SIZE_MAX/(ALIGNMENT - 1)) {`
	`65`	`+ return 0;`
	`66`	`+ }`
`63`	`67`	`if (scratch->max_size - scratch->alloc_size <= objects * (ALIGNMENT - 1)) {`
`64`	`68`	`return 0;`
`65`	`69`	`}`