From 7321d504e61eb14cb951a0e493d327130499f9d3 Mon Sep 17 00:00:00 2001
From: =?utf8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
Date: Sat, 16 Feb 2019 20:34:57 +0100
Subject: [PATCH] basic/hexdecoct: be more careful in overflow check

CID #139583: plen + 1 is evaluated as int, and could in principle overflow.
So cast to ssize_t and add an additional check that our overflow calculation
doesn't overflow itself.
---
 src/basic/hexdecoct.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/src/basic/hexdecoct.c b/src/basic/hexdecoct.c
index c0f9640..c5987ee 100644
--- a/src/basic/hexdecoct.c
+++ b/src/basic/hexdecoct.c
@@ -601,10 +601,11 @@ static int base64_append_width(
         lines = DIV_ROUND_UP(len, width);
 
         slen = strlen_ptr(sep);
-        if (lines > (SSIZE_MAX - plen - 1 - slen) / (indent + width + 1))
+        if (plen >= SSIZE_MAX - 1 - slen ||
+            lines > (SSIZE_MAX - plen - 1 - slen) / (indent + width + 1))
                 return -ENOMEM;
 
-        t = realloc(*prefix, plen + 1 + slen + (indent + width + 1) * lines);
+        t = realloc(*prefix, (ssize_t) plen + 1 + slen + (indent + width + 1) * lines);
         if (!t)
                 return -ENOMEM;
 
-- 
2.7.4