Merge pull request #745 from c3h2-ctf/vasprintf

vasprintf(): avoid out of memory accesses

vasprintf_compat.h

@@ -8,6 +8,10 @@
 
 #include "snprintf_compat.h"
 
+#ifndef WIN32
+#include <stdarg.h>
+#endif /* !defined(WIN32) */
+#include <stdint.h>
 #include <stdlib.h>
 
 #if !defined(HAVE_VASPRINTF)
@@ -16,6 +20,7 @@ static int vasprintf(char **buf, const char *fmt, va_list ap)
 {
 #ifndef WIN32
 	static char _T_emptybuffer = '\0';
+	va_list ap2;
 #endif /* !defined(WIN32) */
 	int chars;
 	char *b;
@@ -26,19 +31,21 @@ static int vasprintf(char **buf, const char *fmt, va_list ap)
 	}
 
 #ifdef WIN32
-	chars = _vscprintf(fmt, ap) + 1;
+	chars = _vscprintf(fmt, ap);
 #else  /* !defined(WIN32) */
 	/* CAW: RAWR! We have to hope to god here that vsnprintf doesn't overwrite
-	 * our buffer like on some 64bit sun systems.... but hey, its time to move on
+	 * our buffer like on some 64bit sun systems... but hey, it's time to move on
 	 */
-	chars = vsnprintf(&_T_emptybuffer, 0, fmt, ap) + 1;
+	va_copy(ap2, ap);
-	if (chars < 0)
+	chars = vsnprintf(&_T_emptybuffer, 0, fmt, ap2);
-	{
+	va_end(ap2);
-		chars *= -1;
-	} /* CAW: old glibc versions have this problem */
 #endif /* defined(WIN32) */
+	if (chars < 0 || (size_t)chars + 1 > SIZE_MAX / sizeof(char))
+	{
+		return -1;
+	}
 
-	b = (char *)malloc(sizeof(char) * chars);
+	b = (char *)malloc(sizeof(char) * ((size_t)chars + 1));
 	if (!b)
 	{
 		return -1;