From 9192aa041d60e8777818c15a24c29717aaf7fe33 Mon Sep 17 00:00:00 2001
From: Vincent Penquerc'h <vincent.penquerch@collabora.co.uk>
Date: Sat, 28 Dec 2013 06:22:49 -0500
Subject: [PATCH] buffer.c: guard against bad input

The byte limit would be hit if adding one byte to a buffer
that's half the limit, due to the temporary double copy.
Not sure if that's something that's worth changing.
---
 qrexec-lib/buffer.c | 26 +++++++++++++++++++++-----
 1 file changed, 21 insertions(+), 5 deletions(-)

diff --git a/qrexec-lib/buffer.c b/qrexec-lib/buffer.c
index 3680e2f..f0be787 100644
--- a/qrexec-lib/buffer.c
+++ b/qrexec-lib/buffer.c
@@ -69,8 +69,16 @@ we keep them so simple to make them obviously correct.
 
 void buffer_append(struct buffer *b, char *data, int len)
 {
-	int newsize = len + b->buflen;
-	char *qdata = limited_malloc(len + b->buflen);
+	int newsize;
+	char *qdata;
+	if (len < 0 || len > BUFFER_LIMIT) {
+		fprintf(stderr, "buffer_append %d\n", len);
+		exit(1);
+	}
+	if (len == 0)
+		return;
+	newsize = len + b->buflen;
+	qdata = limited_malloc(len + b->buflen);
 	memcpy(qdata, b->data, b->buflen);
 	memcpy(qdata + b->buflen, data, len);
 	buffer_free(b);
@@ -80,9 +88,17 @@ void buffer_append(struct buffer *b, char *data, int len)
 
 void buffer_remove(struct buffer *b, int len)
 {
-	int newsize = b->buflen - len;
-	char *qdata = limited_malloc(newsize);
-	memcpy(qdata, b->data + len, newsize);
+	int newsize;
+	char *qdata = NULL;
+	if (len < 0 || len > b->buflen) {
+		fprintf(stderr, "buffer_remove %d/%d\n", len, b->buflen);
+		exit(1);
+	}
+	newsize = b->buflen - len;
+	if (newsize > 0) {
+		qdata = limited_malloc(newsize);
+		memcpy(qdata, b->data + len, newsize);
+	}
 	buffer_free(b);
 	b->buflen = newsize;
 	b->data = qdata;