Bug 2029323 - Improve size calculations in CMS content buffering

2026-05-26 13:58:49 +00:00 · 2026-04-26 10:31:29 +02:00
parent aad6fdd59b
commit 0329082cf0
1 changed files with 13 additions and 2 deletions
@@ -529,8 +529,19 @@ nss_cms_decoder_work_data(NSSCMSDecoderContext *p7dcx,
        SECItem *dataItem = &decoderData->data;

        offset = dataItem->len;
+        /* Reject if accumulated size would exceed unsigned int storage. */
+        if (len > (unsigned long)(PR_UINT32_MAX - dataItem->len)) {
+            p7dcx->error = SEC_ERROR_INPUT_LEN;
+            goto loser;
+        }
        if (dataItem->len + len > decoderData->totalBufferSize) {
-            int needLen = (dataItem->len + len) * 2;
+            /* Use size_t to avoid truncating the 64-bit sum to int.
+             * Double to amortize repeated reallocations across chunks. */
+            size_t needLen = (size_t)dataItem->len + len;
+            /* Only double if the result still fits in unsigned int. */
+            if (needLen <= PR_UINT32_MAX / 2) {
+                needLen *= 2;
+            }
            dest = (unsigned char *)
                PORT_ArenaAlloc(p7dcx->cmsg->poolp, needLen);
            if (dest == NULL) {
@@ -541,7 +552,7 @@ nss_cms_decoder_work_data(NSSCMSDecoderContext *p7dcx,
            if (dataItem->len) {
                PORT_Memcpy(dest, dataItem->data, dataItem->len);
            }
-            decoderData->totalBufferSize = needLen;
+            decoderData->totalBufferSize = (unsigned int)needLen;
            dataItem->data = dest;
        }