summaryrefslogtreecommitdiff
path: root/libs/libssh2/src/comp.c
diff options
context:
space:
mode:
Diffstat (limited to 'libs/libssh2/src/comp.c')
-rw-r--r--libs/libssh2/src/comp.c9
1 files changed, 7 insertions, 2 deletions
diff --git a/libs/libssh2/src/comp.c b/libs/libssh2/src/comp.c
index 4560188bb7..6293195907 100644
--- a/libs/libssh2/src/comp.c
+++ b/libs/libssh2/src/comp.c
@@ -224,7 +224,12 @@ comp_method_zlib_decomp(LIBSSH2_SESSION * session,
/* A short-term alloc of a full data chunk is better than a series of
reallocs */
char *out;
- int out_maxlen = 4 * src_len;
+ size_t out_maxlen = src_len;
+
+ if (src_len <= SIZE_MAX / 4)
+ out_maxlen = src_len * 4;
+ else
+ out_maxlen = payload_limit;
/* If strm is null, then we have not yet been initialized. */
if (strm == NULL)
@@ -271,7 +276,7 @@ comp_method_zlib_decomp(LIBSSH2_SESSION * session,
"decompression failure");
}
- if (out_maxlen >= (int) payload_limit) {
+ if (out_maxlen > (int) payload_limit || out_maxlen > SIZE_MAX / 2) {
LIBSSH2_FREE(session, out);
return _libssh2_error(session, LIBSSH2_ERROR_ZLIB,
"Excessive growth in decompression phase");
generated by cgit v1.2.3 (git 2.25.1) at 2024-11-19 07:37:02 +0000