From 0329082cf0c038f13b511bc00b6f6f42c1142b63 Mon Sep 17 00:00:00 2001 From: Dennis Jackson Date: Sun, 26 Apr 2026 10:31:29 +0200 Subject: [PATCH] Bug 2029323 - Improve size calculations in CMS content buffering --- security/nss/lib/smime/cmsdecode.c | 15 +++++++++++++-- 1 file changed, 13 insertions(+), 2 deletions(-) diff --git a/security/nss/lib/smime/cmsdecode.c b/security/nss/lib/smime/cmsdecode.c index 69965bdd7d..0edea07d43 100644 --- a/security/nss/lib/smime/cmsdecode.c +++ b/security/nss/lib/smime/cmsdecode.c @@ -529,8 +529,19 @@ nss_cms_decoder_work_data(NSSCMSDecoderContext *p7dcx, SECItem *dataItem = &decoderData->data; offset = dataItem->len; + /* Reject if accumulated size would exceed unsigned int storage. */ + if (len > (unsigned long)(PR_UINT32_MAX - dataItem->len)) { + p7dcx->error = SEC_ERROR_INPUT_LEN; + goto loser; + } if (dataItem->len + len > decoderData->totalBufferSize) { - int needLen = (dataItem->len + len) * 2; + /* Use size_t to avoid truncating the 64-bit sum to int. + * Double to amortize repeated reallocations across chunks. */ + size_t needLen = (size_t)dataItem->len + len; + /* Only double if the result still fits in unsigned int. */ + if (needLen <= PR_UINT32_MAX / 2) { + needLen *= 2; + } dest = (unsigned char *) PORT_ArenaAlloc(p7dcx->cmsg->poolp, needLen); if (dest == NULL) { @@ -541,7 +552,7 @@ nss_cms_decoder_work_data(NSSCMSDecoderContext *p7dcx, if (dataItem->len) { PORT_Memcpy(dest, dataItem->data, dataItem->len); } - decoderData->totalBufferSize = needLen; + decoderData->totalBufferSize = (unsigned int)needLen; dataItem->data = dest; }