Loading...
libkern/c++/OSData.cpp xnu-2050.22.13 xnu-2782.40.9
--- xnu/xnu-2050.22.13/libkern/c++/OSData.cpp
+++ xnu/xnu-2782.40.9/libkern/c++/OSData.cpp
@@ -56,12 +56,6 @@
 #define ACCUMSIZE(s)
 #endif
 
-struct OSData::ExpansionData
-{
-    DeallocFunction deallocFunction;
-    bool            disableSerialization;
-};
-
 bool OSData::initWithCapacity(unsigned int inCapacity)
 {
     if (!super::init())
@@ -224,24 +218,29 @@
 unsigned int OSData::ensureCapacity(unsigned int newCapacity)
 {
     unsigned char * newData;
+    unsigned int finalCapacity;
 
     if (newCapacity <= capacity)
         return capacity;
 
-    newCapacity = (((newCapacity - 1) / capacityIncrement) + 1)
+    finalCapacity = (((newCapacity - 1) / capacityIncrement) + 1)
                 * capacityIncrement;
 
-    newData = (unsigned char *) kalloc(newCapacity);
-    
+    // integer overflow check
+    if (finalCapacity < newCapacity)
+        return capacity;
+
+    newData = (unsigned char *) kalloc(finalCapacity);
+
     if ( newData ) {
-        bzero(newData + capacity, newCapacity - capacity);
+        bzero(newData + capacity, finalCapacity - capacity);
         if (data) {
             bcopy(data, newData, capacity);
             kfree(data, capacity);
         }
-        ACCUMSIZE( newCapacity - capacity );
+        ACCUMSIZE( finalCapacity - capacity );
         data = (void *) newData;
-        capacity = newCapacity;
+        capacity = finalCapacity;
     }
 
     return capacity;
@@ -447,8 +446,8 @@
     if (!reserved)
     {
     	reserved = (typeof(reserved)) kalloc(sizeof(ExpansionData));
-	if (!reserved) return;
-	bzero(reserved, sizeof(ExpansionData));
+        if (!reserved) return;
+        bzero(reserved, sizeof(ExpansionData));
     }
     reserved->deallocFunction = func;
 }