From 7b425e06f940fbc0a1d962bee7695530fcc70ceb Mon Sep 17 00:00:00 2001 From: George Hazan Date: Fri, 15 Mar 2019 16:04:01 +0300 Subject: libssh updated to 1.8.1 --- libs/libssh2/src/comp.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) (limited to 'libs/libssh2/src/comp.c') diff --git a/libs/libssh2/src/comp.c b/libs/libssh2/src/comp.c index 4560188bb7..6293195907 100644 --- a/libs/libssh2/src/comp.c +++ b/libs/libssh2/src/comp.c @@ -224,7 +224,12 @@ comp_method_zlib_decomp(LIBSSH2_SESSION * session, /* A short-term alloc of a full data chunk is better than a series of reallocs */ char *out; - int out_maxlen = 4 * src_len; + size_t out_maxlen = src_len; + + if (src_len <= SIZE_MAX / 4) + out_maxlen = src_len * 4; + else + out_maxlen = payload_limit; /* If strm is null, then we have not yet been initialized. */ if (strm == NULL) @@ -271,7 +276,7 @@ comp_method_zlib_decomp(LIBSSH2_SESSION * session, "decompression failure"); } - if (out_maxlen >= (int) payload_limit) { + if (out_maxlen > (int) payload_limit || out_maxlen > SIZE_MAX / 2) { LIBSSH2_FREE(session, out); return _libssh2_error(session, LIBSSH2_ERROR_ZLIB, "Excessive growth in decompression phase"); -- cgit v1.2.3