diff --git a/channels/drive/client/drive_file.c b/channels/drive/client/drive_file.c index 45d3c181c..bd8b1dc6d 100644 --- a/channels/drive/client/drive_file.c +++ b/channels/drive/client/drive_file.c @@ -1052,7 +1052,7 @@ BOOL drive_file_query_directory(DRIVE_FILE* file, UINT32 FsInformationClass, BYT else if (!FindNextFileW(file->find_handle, &file->find_data)) goto out_fail; - length = _wcslen(file->find_data.cFileName) * 2; + length = _wcslen(file->find_data.cFileName) * sizeof(WCHAR); switch (FsInformationClass) { diff --git a/channels/remdesk/common/remdesk_common.c b/channels/remdesk/common/remdesk_common.c index a4600e764..1907fb03d 100644 --- a/channels/remdesk/common/remdesk_common.c +++ b/channels/remdesk/common/remdesk_common.c @@ -36,7 +36,7 @@ UINT remdesk_write_channel_header(wStream* s, const REMDESK_CHANNEL_HEADER* head } const size_t ChannelNameLen = - (strnlen(header->ChannelName, sizeof(header->ChannelName)) + 1) * 2; + (strnlen(header->ChannelName, sizeof(header->ChannelName)) + 1) * sizeof(WCHAR); WINPR_ASSERT(ChannelNameLen <= ARRAYSIZE(header->ChannelName)); Stream_Write_UINT32(s, (UINT32)ChannelNameLen); /* ChannelNameLen (4 bytes) */ diff --git a/channels/remdesk/server/remdesk_main.c b/channels/remdesk/server/remdesk_main.c index 445027aac..0189c31ec 100644 --- a/channels/remdesk/server/remdesk_main.c +++ b/channels/remdesk/server/remdesk_main.c @@ -185,7 +185,7 @@ static UINT remdesk_recv_ctl_remote_control_desktop_pdu(RemdeskServerContext* co return ERROR_INVALID_DATA; cchStringW++; - const size_t cbRaConnectionStringW = cchStringW * 2; + const size_t cbRaConnectionStringW = cchStringW * sizeof(WCHAR); pdu.raConnectionString = ConvertWCharNToUtf8Alloc(raConnectionStringW, cbRaConnectionStringW / sizeof(WCHAR), NULL); if (!pdu.raConnectionString) @@ -240,7 +240,7 @@ static UINT remdesk_recv_ctl_authenticate_pdu(WINPR_ATTR_UNUSED RemdeskServerCon return ERROR_INVALID_DATA; cchStringW++; - const size_t cbExpertBlobW = cchStringW * 2; + const size_t cbExpertBlobW = cchStringW * sizeof(WCHAR); pdu.raConnectionString = ConvertWCharNToUtf8Alloc(raConnectionStringW, cbRaConnectionStringW / sizeof(WCHAR), NULL); if (!pdu.raConnectionString) diff --git a/channels/tsmf/client/ffmpeg/tsmf_ffmpeg.c b/channels/tsmf/client/ffmpeg/tsmf_ffmpeg.c index 12da2601b..22c55d742 100644 --- a/channels/tsmf/client/ffmpeg/tsmf_ffmpeg.c +++ b/channels/tsmf/client/ffmpeg/tsmf_ffmpeg.c @@ -488,12 +488,12 @@ static BOOL tsmf_ffmpeg_decode_audio(ITSMFDecoder* decoder, const BYTE* data, UI if (mdecoder->decoded_size_max - mdecoder->decoded_size < MAX_AUDIO_FRAME_SIZE) { BYTE* tmp_data = NULL; - tmp_data = realloc(mdecoder->decoded_data, mdecoder->decoded_size_max * 2 + 16); + tmp_data = realloc(mdecoder->decoded_data, mdecoder->decoded_size_max * 2ull + 16ull); if (!tmp_data) return FALSE; - mdecoder->decoded_size_max = mdecoder->decoded_size_max * 2 + 16; + mdecoder->decoded_size_max = mdecoder->decoded_size_max * 2ull + 16ull; mdecoder->decoded_data = tmp_data; dst = (BYTE*)(((uintptr_t)mdecoder->decoded_data + 15) & ~0x0F); diff --git a/channels/tsmf/client/tsmf_media.c b/channels/tsmf/client/tsmf_media.c index 25abd7ed9..8cb3ea614 100644 --- a/channels/tsmf/client/tsmf_media.c +++ b/channels/tsmf/client/tsmf_media.c @@ -387,7 +387,7 @@ static char* guid_to_string(const BYTE* guid, char* str, size_t len) TSMF_PRESENTATION* tsmf_presentation_find_by_id(const BYTE* guid) { BOOL found = FALSE; - char guid_str[GUID_SIZE * 2 + 1] = { 0 }; + char guid_str[GUID_SIZE * 2ull + 1] = { 0 }; TSMF_PRESENTATION* presentation = NULL; ArrayList_Lock(presentation_list); const size_t count = ArrayList_Count(presentation_list); diff --git a/channels/urbdrc/client/libusb/libusb_udevice.c b/channels/urbdrc/client/libusb/libusb_udevice.c index d465ff9be..2491bf7e1 100644 --- a/channels/urbdrc/client/libusb/libusb_udevice.c +++ b/channels/urbdrc/client/libusb/libusb_udevice.c @@ -917,10 +917,10 @@ static UINT32 libusb_udev_control_query_device_text(IUDEVICE* idev, UINT32 TextT * So also check the string length returned as server side does * not honor strings with multi '\0' characters well. */ - const size_t rchar = _wcsnlen((WCHAR*)&data[2], sizeof(data) / 2); + const size_t rchar = _wcsnlen((WCHAR*)&data[2], sizeof(data) / sizeof(WCHAR)); len = MIN((BYTE)ret - 2, slen); len = MIN(len, inSize); - len = MIN(len, rchar * 2 + sizeof(WCHAR)); + len = MIN(len, rchar * sizeof(WCHAR) + sizeof(WCHAR)); memcpy(Buffer, &data[2], len); /* Just as above, the returned WCHAR string should be '\0' diff --git a/client/Android/Studio/freeRDPCore/src/main/cpp/android_event.c b/client/Android/Studio/freeRDPCore/src/main/cpp/android_event.c index da3d2aab2..5a9fb2421 100644 --- a/client/Android/Studio/freeRDPCore/src/main/cpp/android_event.c +++ b/client/Android/Studio/freeRDPCore/src/main/cpp/android_event.c @@ -28,10 +28,16 @@ BOOL android_push_event(freerdp* inst, ANDROID_EVENT* event) if (aCtx->event_queue->count >= aCtx->event_queue->size) { - int new_size; - void* new_events; - new_size = aCtx->event_queue->size * 2; - new_events = realloc((void*)aCtx->event_queue->events, sizeof(ANDROID_EVENT*) * new_size); + size_t new_size = aCtx->event_queue->size; + do + { + if (new_size >= SIZE_MAX - 128ull) + return FALSE; + + new_size += 128ull; + } while (new_size <= aCtx->event_queue->count); + void* new_events = + realloc((void*)aCtx->event_queue->events, sizeof(ANDROID_EVENT*) * new_size); if (!new_events) return FALSE; diff --git a/client/Windows/wf_cliprdr.c b/client/Windows/wf_cliprdr.c index 61207cfbc..e77b56bf8 100644 --- a/client/Windows/wf_cliprdr.c +++ b/client/Windows/wf_cliprdr.c @@ -1122,10 +1122,13 @@ static void map_ensure_capacity(wfClipboard* clipboard) if (clipboard->map_size >= clipboard->map_capacity) { - size_t new_size; - formatMapping* new_map; - new_size = clipboard->map_capacity * 2; - new_map = + size_t new_size = clipboard->map_capacity; + do + { + WINPR_ASSERT(new_size <= SIZE_MAX - 128ull); + new_size += 128ull; + } while (new_size <= clipboard->map_size); + formatMapping* new_map = (formatMapping*)realloc(clipboard->format_mappings, sizeof(formatMapping) * new_size); if (!new_map) diff --git a/client/X11/xf_event.c b/client/X11/xf_event.c index 0a7dc80c1..7ab5b370f 100644 --- a/client/X11/xf_event.c +++ b/client/X11/xf_event.c @@ -894,10 +894,8 @@ static BOOL xf_event_ConfigureNotify(xfContext* xfc, const XConfigureEvent* even if (freerdp_settings_get_bool(settings, FreeRDP_DynamicResolutionUpdate)) { - int alignedWidth = 0; - int alignedHeight = 0; - alignedWidth = (xfc->window->width / 2) * 2; - alignedHeight = (xfc->window->height / 2) * 2; + const int alignedWidth = (xfc->window->width / 2) * 2; + const int alignedHeight = (xfc->window->height / 2) * 2; /* ask the server to resize using the display channel */ xf_disp_handle_configureNotify(xfc, alignedWidth, alignedHeight); } diff --git a/libfreerdp/core/gcc.c b/libfreerdp/core/gcc.c index d6c716ce0..ebcec5920 100644 --- a/libfreerdp/core/gcc.c +++ b/libfreerdp/core/gcc.c @@ -1999,7 +1999,8 @@ BOOL gcc_write_server_network_data(wStream* s, const rdpMcs* mcs) { WINPR_ASSERT(s); WINPR_ASSERT(mcs); - const size_t payloadLen = 8 + mcs->channelCount * 2 + (mcs->channelCount % 2 == 1 ? 2 : 0); + const size_t payloadLen = + 8ull + mcs->channelCount * 2ull + (mcs->channelCount % 2 == 1 ? 2ull : 0ull); WINPR_ASSERT(payloadLen <= UINT16_MAX); if (!gcc_write_user_data_header(s, SC_NET, (UINT16)payloadLen)) diff --git a/libfreerdp/core/orders.c b/libfreerdp/core/orders.c index 8eb6c4f2d..3ae8d36d8 100644 --- a/libfreerdp/core/orders.c +++ b/libfreerdp/core/orders.c @@ -3302,7 +3302,7 @@ size_t update_approximate_create_offscreen_bitmap_order( deleteList = &(create_offscreen_bitmap->deleteList); WINPR_ASSERT(deleteList); - return 32 + deleteList->cIndices * 2; + return 32ull + deleteList->cIndices * 2ull; } BOOL update_write_create_offscreen_bitmap_order( diff --git a/libfreerdp/core/proxy.c b/libfreerdp/core/proxy.c index 873fad43e..d5b988159 100644 --- a/libfreerdp/core/proxy.c +++ b/libfreerdp/core/proxy.c @@ -597,7 +597,7 @@ static BOOL http_proxy_connect(rdpContext* context, BIO* bufferedBio, const char hostLen = strlen(hostname); portLen = strnlen(port_str, sizeof(port_str)); - reserveSize = strlen(connect) + (hostLen + 1 + portLen) * 2 + strlen(httpheader); + reserveSize = strlen(connect) + (hostLen + 1ull + portLen) * 2ull + strlen(httpheader); s = Stream_New(NULL, reserveSize); if (!s) goto fail; diff --git a/libfreerdp/crypto/base64.c b/libfreerdp/crypto/base64.c index 27394e0b3..91cce5eec 100644 --- a/libfreerdp/crypto/base64.c +++ b/libfreerdp/crypto/base64.c @@ -313,7 +313,7 @@ static inline char* base64_encode_ex(const BYTE* WINPR_RESTRICT alphabet, if (crLf) { size_t nCrLf = (outLen + lineSize - 1) / lineSize; - extra = nCrLf * 2; + extra = nCrLf * 2ull; } size_t outCounter = 0; diff --git a/winpr/libwinpr/clipboard/synthetic_file.c b/winpr/libwinpr/clipboard/synthetic_file.c index 147d99b4b..0793daf39 100644 --- a/winpr/libwinpr/clipboard/synthetic_file.c +++ b/winpr/libwinpr/clipboard/synthetic_file.c @@ -759,7 +759,7 @@ static void* convert_filedescriptors_to_file_list(wClipboard* clipboard, UINT32 alloc += ARRAYSIZE(dsc->cFileName) * 8; /* Overallocate, just take the biggest value the result path can have */ /* # (1 char) -> %23 (3 chars) , the first char is replaced inplace */ - alloc += count_special_chars(dsc->cFileName) * 2; + alloc += count_special_chars(dsc->cFileName) * sizeof(WCHAR); alloc += decoration_len; } } diff --git a/winpr/libwinpr/crt/buffer.c b/winpr/libwinpr/crt/buffer.c index fc914c9e8..876309eca 100644 --- a/winpr/libwinpr/crt/buffer.c +++ b/winpr/libwinpr/crt/buffer.c @@ -39,7 +39,7 @@ errno_t memmove_s(void* dest, size_t numberOfElements, const void* src, size_t c errno_t wmemmove_s(WCHAR* dest, size_t numberOfElements, const WCHAR* src, size_t count) { - if (count * 2 > numberOfElements) + if (count * sizeof(WCHAR) > numberOfElements) return -1; memmove(dest, src, count * 2); diff --git a/winpr/libwinpr/environment/environment.c b/winpr/libwinpr/environment/environment.c index 345037bdf..b9419ec15 100644 --- a/winpr/libwinpr/environment/environment.c +++ b/winpr/libwinpr/environment/environment.c @@ -30,6 +30,10 @@ #include +#include "../log.h" + +#define TAG WINPR_TAG("environment") + #ifndef _WIN32 #include @@ -100,19 +104,19 @@ DWORD GetCurrentDirectoryA(DWORD nBufferLength, LPSTR lpBuffer) DWORD GetCurrentDirectoryW(WINPR_ATTR_UNUSED DWORD nBufferLength, WINPR_ATTR_UNUSED LPWSTR lpBuffer) { - WLog_ERR("TODO", "TODO: not implemented"); + WLog_ERR(TAG, "TODO: not implemented"); return 0; } BOOL SetCurrentDirectoryA(WINPR_ATTR_UNUSED LPCSTR lpPathName) { - WLog_ERR("TODO", "TODO: not implemented"); + WLog_ERR(TAG, "TODO: not implemented"); return TRUE; } BOOL SetCurrentDirectoryW(WINPR_ATTR_UNUSED LPCWSTR lpPathName) { - WLog_ERR("TODO", "TODO: not implemented"); + WLog_ERR(TAG, "TODO: not implemented"); return TRUE; } @@ -120,7 +124,7 @@ DWORD SearchPathA(WINPR_ATTR_UNUSED LPCSTR lpPath, WINPR_ATTR_UNUSED LPCSTR lpFi WINPR_ATTR_UNUSED LPCSTR lpExtension, WINPR_ATTR_UNUSED DWORD nBufferLength, WINPR_ATTR_UNUSED LPSTR lpBuffer, WINPR_ATTR_UNUSED LPSTR* lpFilePart) { - WLog_ERR("TODO", "TODO: not implemented"); + WLog_ERR(TAG, "TODO: not implemented"); return 0; } @@ -128,31 +132,31 @@ DWORD SearchPathW(WINPR_ATTR_UNUSED LPCWSTR lpPath, WINPR_ATTR_UNUSED LPCWSTR lp WINPR_ATTR_UNUSED LPCWSTR lpExtension, WINPR_ATTR_UNUSED DWORD nBufferLength, WINPR_ATTR_UNUSED LPWSTR lpBuffer, WINPR_ATTR_UNUSED LPWSTR* lpFilePart) { - WLog_ERR("TODO", "TODO: not implemented"); + WLog_ERR(TAG, "TODO: not implemented"); return 0; } LPSTR GetCommandLineA(VOID) { - WLog_ERR("TODO", "TODO: not implemented"); + WLog_ERR(TAG, "TODO: not implemented"); return NULL; } LPWSTR GetCommandLineW(VOID) { - WLog_ERR("TODO", "TODO: not implemented"); + WLog_ERR(TAG, "TODO: not implemented"); return NULL; } BOOL NeedCurrentDirectoryForExePathA(WINPR_ATTR_UNUSED LPCSTR ExeName) { - WLog_ERR("TODO", "TODO: not implemented"); + WLog_ERR(TAG, "TODO: not implemented"); return TRUE; } BOOL NeedCurrentDirectoryForExePathW(WINPR_ATTR_UNUSED LPCWSTR ExeName) { - WLog_ERR("TODO", "TODO: not implemented"); + WLog_ERR(TAG, "TODO: not implemented"); return TRUE; } @@ -192,7 +196,7 @@ DWORD GetEnvironmentVariableA(LPCSTR lpName, LPSTR lpBuffer, DWORD nSize) DWORD GetEnvironmentVariableW(WINPR_ATTR_UNUSED LPCWSTR lpName, WINPR_ATTR_UNUSED LPWSTR lpBuffer, WINPR_ATTR_UNUSED DWORD nSize) { - WLog_ERR("TODO", "TODO: not implemented"); + WLog_ERR(TAG, "TODO: not implemented"); SetLastError(ERROR_ENVVAR_NOT_FOUND); return 0; } @@ -224,7 +228,7 @@ BOOL SetEnvironmentVariableA(LPCSTR lpName, LPCSTR lpValue) BOOL SetEnvironmentVariableW(WINPR_ATTR_UNUSED LPCWSTR lpName, WINPR_ATTR_UNUSED LPCWSTR lpValue) { - WLog_ERR("TODO", "TODO: not implemented"); + WLog_ERR(TAG, "TODO: not implemented"); return FALSE; } @@ -249,32 +253,35 @@ extern char** environ; LPCH GetEnvironmentStringsA(VOID) { #if !defined(_UWP) - char* p = NULL; size_t offset = 0; - size_t length = 0; - char** envp = NULL; - DWORD cchEnvironmentBlock = 0; - LPCH lpszEnvironmentBlock = NULL; + char** envp = environ; + const size_t blocksize = 128; + size_t cchEnvironmentBlock = blocksize; + LPCH lpszEnvironmentBlock = (LPCH)calloc(cchEnvironmentBlock, sizeof(CHAR)); - offset = 0; - envp = environ; - - cchEnvironmentBlock = 128; - lpszEnvironmentBlock = (LPCH)calloc(cchEnvironmentBlock, sizeof(CHAR)); if (!lpszEnvironmentBlock) return NULL; while (*envp) { - length = strlen(*envp); - - while ((offset + length + 8) > cchEnvironmentBlock) + const size_t length = strlen(*envp); + const size_t required = offset + length + 8ull; + if (required > UINT32_MAX) { - DWORD new_size = 0; - LPCH new_blk = NULL; + WLog_ERR(TAG, "Environment block too large: %" PRIuz, required); - new_size = cchEnvironmentBlock * 2; - new_blk = (LPCH)realloc(lpszEnvironmentBlock, new_size * sizeof(CHAR)); + free(lpszEnvironmentBlock); + return NULL; + } + + if (required > cchEnvironmentBlock) + { + size_t new_size = cchEnvironmentBlock; + do + { + new_size += blocksize; + } while (new_size <= required); + LPCH new_blk = (LPCH)realloc(lpszEnvironmentBlock, new_size * sizeof(CHAR)); if (!new_blk) { free(lpszEnvironmentBlock); @@ -285,12 +292,12 @@ LPCH GetEnvironmentStringsA(VOID) cchEnvironmentBlock = new_size; } - p = &(lpszEnvironmentBlock[offset]); + char* p = &(lpszEnvironmentBlock[offset]); CopyMemory(p, *envp, length * sizeof(CHAR)); p[length] = '\0'; - offset += (length + 1); + offset += (length + 1ull); envp++; } @@ -304,33 +311,33 @@ LPCH GetEnvironmentStringsA(VOID) LPWCH GetEnvironmentStringsW(VOID) { - WLog_ERR("TODO", "TODO: not implemented"); + WLog_ERR(TAG, "TODO: not implemented"); return NULL; } BOOL SetEnvironmentStringsA(WINPR_ATTR_UNUSED LPCH NewEnvironment) { - WLog_ERR("TODO", "TODO: not implemented"); + WLog_ERR(TAG, "TODO: not implemented"); return TRUE; } BOOL SetEnvironmentStringsW(WINPR_ATTR_UNUSED LPWCH NewEnvironment) { - WLog_ERR("TODO", "TODO: not implemented"); + WLog_ERR(TAG, "TODO: not implemented"); return TRUE; } DWORD ExpandEnvironmentStringsA(WINPR_ATTR_UNUSED LPCSTR lpSrc, WINPR_ATTR_UNUSED LPSTR lpDst, WINPR_ATTR_UNUSED DWORD nSize) { - WLog_ERR("TODO", "TODO: not implemented"); + WLog_ERR(TAG, "TODO: not implemented"); return 0; } DWORD ExpandEnvironmentStringsW(WINPR_ATTR_UNUSED LPCWSTR lpSrc, WINPR_ATTR_UNUSED LPWSTR lpDst, WINPR_ATTR_UNUSED DWORD nSize) { - WLog_ERR("TODO", "TODO: not implemented"); + WLog_ERR(TAG, "TODO: not implemented"); return 0; } diff --git a/winpr/libwinpr/file/file.c b/winpr/libwinpr/file/file.c index 112dc43a6..051a397cc 100644 --- a/winpr/libwinpr/file/file.c +++ b/winpr/libwinpr/file/file.c @@ -1403,7 +1403,7 @@ DWORD GetFullPathNameA(LPCSTR lpFileName, DWORD nBufferLength, LPSTR lpBuffer, L free(lpFileNameW); free(lpBufferW); - return dwStatus * 2; + return WINPR_ASSERTING_INT_CAST(DWORD, dwStatus * sizeof(WCHAR)); } BOOL GetDiskFreeSpaceA(LPCSTR lpRootPathName, LPDWORD lpSectorsPerCluster, LPDWORD lpBytesPerSector, diff --git a/winpr/libwinpr/ncrypt/ncrypt.c b/winpr/libwinpr/ncrypt/ncrypt.c index 18d64e30b..05315b45f 100644 --- a/winpr/libwinpr/ncrypt/ncrypt.c +++ b/winpr/libwinpr/ncrypt/ncrypt.c @@ -120,7 +120,7 @@ SECURITY_STATUS NCryptEnumStorageProviders(DWORD* wProviderCount, #ifdef WITH_PKCS11 *wProviderCount += 1; - stringAllocSize += (_wcslen(MS_SCARD_PROV) + 1) * 2; + stringAllocSize += (_wcslen(MS_SCARD_PROV) + 1) * sizeof(WCHAR); stringAllocSize += sizeof(emptyComment); #endif @@ -135,7 +135,7 @@ SECURITY_STATUS NCryptEnumStorageProviders(DWORD* wProviderCount, strPtr = (LPWSTR)(ret + *wProviderCount); ret->pszName = strPtr; - copyAmount = (_wcslen(MS_SCARD_PROV) + 1) * 2; + copyAmount = (_wcslen(MS_SCARD_PROV) + 1) * sizeof(WCHAR); memcpy(strPtr, MS_SCARD_PROV, copyAmount); strPtr += copyAmount / 2; diff --git a/winpr/libwinpr/ncrypt/ncrypt_pkcs11.c b/winpr/libwinpr/ncrypt/ncrypt_pkcs11.c index 55a3cf076..bc31616ca 100644 --- a/winpr/libwinpr/ncrypt/ncrypt_pkcs11.c +++ b/winpr/libwinpr/ncrypt/ncrypt_pkcs11.c @@ -821,11 +821,12 @@ static SECURITY_STATUS NCryptP11EnumKeys(NCRYPT_PROV_HANDLE hProvider, LPCWSTR p { /* sizeof keyName struct + "\\" + keyName->pszAlgid */ DWORD algoSz = 0; - size_t KEYNAME_SZ = - (1 + (sizeof(key->slotId) * 2) /*slotId*/ + 1 + (key->idLen * 2) + 1) * 2; + size_t KEYNAME_SZ = (1ull + (sizeof(key->slotId) * 2ull) /*slotId*/ + 1ull + + (key->idLen * 2ull) + 1ull) * + sizeof(WCHAR); convertKeyType(key->keyType, NULL, 0, &algoSz); - KEYNAME_SZ += (1ULL + algoSz) * 2ULL; + KEYNAME_SZ += (1ULL + algoSz) * sizeof(WCHAR); keyName = calloc(1, sizeof(*keyName) + KEYNAME_SZ); if (!keyName) diff --git a/winpr/libwinpr/path/include/PathAllocCombine.h b/winpr/libwinpr/path/include/PathAllocCombine.h index 4837343c8..5461252a9 100644 --- a/winpr/libwinpr/path/include/PathAllocCombine.h +++ b/winpr/libwinpr/path/include/PathAllocCombine.h @@ -78,7 +78,7 @@ HRESULT PATH_ALLOC_COMBINE(PCWSTR pszPathIn, PCWSTR pszMore, else { const size_t pszPathOutLength = pszPathInLength + pszMoreLength; - const size_t sizeOfBuffer = (pszPathOutLength + 1) * 2; + const size_t sizeOfBuffer = (pszPathOutLength + 1) * sizeof(WCHAR); PWSTR pszPathOut = (PWSTR)calloc(sizeOfBuffer, 2); if (!pszPathOut) @@ -131,7 +131,7 @@ HRESULT PATH_ALLOC_COMBINE(PCSTR pszPathIn, PCSTR pszMore, WINPR_ATTR_UNUSED uns if ((pszPathIn[1] == ':') && (pszPathIn[2] == CUR_PATH_SEPARATOR_CHR)) { const size_t pszPathOutLength = 2 + pszMoreLength; - const size_t sizeOfBuffer = (pszPathOutLength + 1) * 2; + const size_t sizeOfBuffer = (pszPathOutLength + 1) * sizeof(WCHAR); PSTR pszPathOut = calloc(sizeOfBuffer, 2); if (!pszPathOut) @@ -145,7 +145,7 @@ HRESULT PATH_ALLOC_COMBINE(PCSTR pszPathIn, PCSTR pszMore, WINPR_ATTR_UNUSED uns else { const size_t pszPathOutLength = pszPathInLength + pszMoreLength; - const size_t sizeOfBuffer = (pszPathOutLength + 1) * 2; + const size_t sizeOfBuffer = (pszPathOutLength + 1) * sizeof(WCHAR); PSTR pszPathOut = calloc(sizeOfBuffer, 2); if (!pszPathOut) diff --git a/winpr/libwinpr/sspi/NTLM/ntlm_message.c b/winpr/libwinpr/sspi/NTLM/ntlm_message.c index b70ce4ea2..a3952559c 100644 --- a/winpr/libwinpr/sspi/NTLM/ntlm_message.c +++ b/winpr/libwinpr/sspi/NTLM/ntlm_message.c @@ -1285,11 +1285,11 @@ SECURITY_STATUS ntlm_write_AuthenticateMessage(NTLM_CONTEXT* context, SecBuffer* if (credentials->identity.DomainLength > 0) { message->NegotiateFlags |= NTLMSSP_NEGOTIATE_DOMAIN_SUPPLIED; - message->DomainName.Len = (UINT16)credentials->identity.DomainLength * 2; + message->DomainName.Len = (UINT16)credentials->identity.DomainLength * sizeof(WCHAR); message->DomainName.Buffer = (BYTE*)credentials->identity.Domain; } - message->UserName.Len = (UINT16)credentials->identity.UserLength * 2; + message->UserName.Len = (UINT16)credentials->identity.UserLength * sizeof(WCHAR); message->UserName.Buffer = (BYTE*)credentials->identity.User; message->LmChallengeResponse.Len = (UINT16)context->LmChallengeResponse.cbBuffer; message->LmChallengeResponse.Buffer = (BYTE*)context->LmChallengeResponse.pvBuffer; diff --git a/winpr/libwinpr/utils/collections/BufferPool.c b/winpr/libwinpr/utils/collections/BufferPool.c index 6513b714b..4b8bf3e13 100644 --- a/winpr/libwinpr/utils/collections/BufferPool.c +++ b/winpr/libwinpr/utils/collections/BufferPool.c @@ -127,9 +127,20 @@ static BOOL BufferPool_ShiftUsed(wBufferPool* pool, SSIZE_T index, SSIZE_T count { if (count > 0) { - if (pool->uSize + count > pool->uCapacity) + const SSIZE_T required = pool->uSize + count; + // check for overflow + if ((required < count) || (required < pool->uSize)) + return FALSE; + + if (required > pool->uCapacity) { - SSIZE_T newUCapacity = pool->uCapacity * 2; + SSIZE_T newUCapacity = pool->uCapacity; + do + { + if (newUCapacity > SIZE_MAX - 128ull) + return FALSE; + newUCapacity += 128ull; + } while (newUCapacity <= required); wBufferPoolItem* newUArray = NULL; if (pool->alignment > 0) newUArray = (wBufferPoolItem*)winpr_aligned_realloc( diff --git a/winpr/libwinpr/utils/collections/MessageQueue.c b/winpr/libwinpr/utils/collections/MessageQueue.c index 361685b41..cc1f579f3 100644 --- a/winpr/libwinpr/utils/collections/MessageQueue.c +++ b/winpr/libwinpr/utils/collections/MessageQueue.c @@ -96,16 +96,25 @@ static BOOL MessageQueue_EnsureCapacity(wMessageQueue* queue, size_t count) { WINPR_ASSERT(queue); - if (queue->size + count >= queue->capacity) + const size_t required = queue->size + count; + // check for overflow + if ((required < queue->size) || (required < count)) + return FALSE; + + if (required >= queue->capacity) { - wMessage* new_arr = NULL; size_t old_capacity = queue->capacity; - size_t new_capacity = queue->capacity * 2; + size_t new_capacity = queue->capacity; - if (new_capacity < queue->size + count) + if (new_capacity < required) + { new_capacity = queue->size + count; + // check for overflow + if (new_capacity < old_capacity) + return FALSE; + } - new_arr = (wMessage*)realloc(queue->array, sizeof(wMessage) * new_capacity); + wMessage* new_arr = (wMessage*)realloc(queue->array, sizeof(wMessage) * new_capacity); if (!new_arr) return FALSE; queue->array = new_arr; diff --git a/winpr/libwinpr/utils/collections/ObjectPool.c b/winpr/libwinpr/utils/collections/ObjectPool.c index 98f962ae9..4e6efd260 100644 --- a/winpr/libwinpr/utils/collections/ObjectPool.c +++ b/winpr/libwinpr/utils/collections/ObjectPool.c @@ -92,13 +92,18 @@ void ObjectPool_Return(wObjectPool* pool, void* obj) { ObjectPool_Lock(pool); - if ((pool->size + 1) >= pool->capacity) + WINPR_ASSERT(pool->size < SIZE_MAX); + const size_t required = pool->size + 1ull; + if (required >= pool->capacity) { - size_t new_cap = 0; - void** new_arr = NULL; + size_t new_cap = pool->capacity; + do + { + WINPR_ASSERT(new_cap <= SIZE_MAX - 128ull); + new_cap += 128ull; + } while (new_cap <= required); - new_cap = pool->capacity * 2; - new_arr = (void**)realloc((void*)pool->array, sizeof(void*) * new_cap); + void** new_arr = (void**)realloc((void*)pool->array, sizeof(void*) * new_cap); if (!new_arr) goto out; diff --git a/winpr/libwinpr/utils/collections/PubSub.c b/winpr/libwinpr/utils/collections/PubSub.c index 147135338..fae0bdec0 100644 --- a/winpr/libwinpr/utils/collections/PubSub.c +++ b/winpr/libwinpr/utils/collections/PubSub.c @@ -94,13 +94,19 @@ void PubSub_AddEventTypes(wPubSub* pubSub, wEventType* events, size_t count) if (pubSub->synchronized) PubSub_Lock(pubSub); - while (pubSub->count + count >= pubSub->size) - { - size_t new_size = 0; - wEventType* new_event = NULL; + const size_t required = pubSub->count + count; + WINPR_ASSERT((required >= pubSub->count) && (required >= count)); - new_size = pubSub->size * 2; - new_event = (wEventType*)realloc(pubSub->events, new_size * sizeof(wEventType)); + if (required >= pubSub->size) + { + size_t new_size = pubSub->size; + do + { + WINPR_ASSERT(new_size <= SIZE_MAX - 128ull); + new_size += 128ull; + } while (new_size <= required); + + wEventType* new_event = (wEventType*)realloc(pubSub->events, new_size * sizeof(wEventType)); if (!new_event) goto fail; pubSub->size = new_size; diff --git a/winpr/libwinpr/utils/collections/Stack.c b/winpr/libwinpr/utils/collections/Stack.c index 13f6ba173..1f041d5bc 100644 --- a/winpr/libwinpr/utils/collections/Stack.c +++ b/winpr/libwinpr/utils/collections/Stack.c @@ -141,9 +141,15 @@ void Stack_Push(wStack* stack, void* obj) if (stack->synchronized) EnterCriticalSection(&stack->lock); - if ((stack->size + 1) >= stack->capacity) + WINPR_ASSERT(stack->size < SIZE_MAX); + if ((stack->size + 1ull) >= stack->capacity) { - const size_t new_cap = stack->capacity * 2; + size_t new_cap = stack->capacity; + do + { + WINPR_ASSERT(new_cap <= SIZE_MAX - 128ull); + new_cap += 128ull; + } while (new_cap <= stack->size + 1ull); void** new_arr = (void**)realloc((void*)stack->array, sizeof(void*) * new_cap); if (!new_arr) diff --git a/winpr/libwinpr/utils/stream.c b/winpr/libwinpr/utils/stream.c index 7a43e57e1..cbfbbfa16 100644 --- a/winpr/libwinpr/utils/stream.c +++ b/winpr/libwinpr/utils/stream.c @@ -46,20 +46,19 @@ BOOL Stream_EnsureCapacity(wStream* s, size_t size) WINPR_ASSERT(s); if (s->capacity < size) { - size_t position = 0; - size_t old_capacity = 0; - size_t new_capacity = 0; BYTE* new_buf = NULL; - old_capacity = s->capacity; - new_capacity = old_capacity; + size_t old_capacity = s->capacity; + size_t new_capacity = old_capacity; do { - new_capacity *= 2; - } while (new_capacity < size); + if (new_capacity > SIZE_MAX - 128ull) + return FALSE; + new_capacity += 128ull; + } while (new_capacity <= size); - position = Stream_GetPosition(s); + const size_t position = Stream_GetPosition(s); if (!s->isOwner) { diff --git a/winpr/tools/makecert/makecert.c b/winpr/tools/makecert/makecert.c index 94795160e..f9e357511 100644 --- a/winpr/tools/makecert/makecert.c +++ b/winpr/tools/makecert/makecert.c @@ -78,12 +78,9 @@ static char* makecert_read_str(BIO* bio, size_t* pOffset) while (offset >= length) { - size_t new_len = 0; size_t readBytes = 0; char* new_str = NULL; - new_len = length * 2; - if (new_len == 0) - new_len = 2048; + size_t new_len = length + 2048ull; if (new_len > INT_MAX) {