[OTR-dev] [PATCH 8/9] Check for overflow and the return value of malloc() in otrl_message_symkey().

[Andreas Schlick]

---
 src/message.c | 12 +++++++++---
 1 file changed, 9 insertions(+), 3 deletions(-)

diff --git a/src/message.c b/src/message.c
index 68ee9e7..333ee0c 100644
--- a/src/message.c
+++ b/src/message.c
@@ -22,6 +22,7 @@
 /* system headers */
 #include <stdio.h>
 #include <stdlib.h>
+#include <stdint.h>
 #include <time.h>
 
 /* libgcrypt headers */
@@ -1923,17 +1924,22 @@ gcry_error_t otrl_message_symkey(OtrlUserState us,
 	unsigned int use, const unsigned char *usedata, size_t usedatalen,
 	unsigned char *symkey)
 {
-    if (!context || (usedatalen > 0 && !usedata)) {
-	return gcry_error(GPG_ERR_INV_VALUE);
+    if (!context || (usedatalen > 0 && !usedata) || usedatalen > SIZE_MAX-4) {
+        return gcry_error(GPG_ERR_INV_VALUE);
     }
 
     if (context->msgstate == OTRL_MSGSTATE_ENCRYPTED &&
 	    context->context_priv->their_keyid > 0) {
-	unsigned char *tlvdata = malloc(usedatalen+4);
+        unsigned char *tlvdata = NULL;
 	char *encmsg = NULL;
 	gcry_error_t err;
 	OtrlTLV *tlv;
 
+        tlvdata = malloc(usedatalen+4);
+        if (!tlvdata) {
+            return gcry_error(GPG_ERR_ENOMEM);
+        }
+
 	tlvdata[0] = (use >> 24) & 0xff;
 	tlvdata[1] = (use >> 16) & 0xff;
 	tlvdata[2] = (use >> 8) & 0xff;
-- 
2.1.2