From e2eaefbf7ab423805f4122de9ee0b93000bf8a80 Mon Sep 17 00:00:00 2001
From: Tony Finch <fanf@isc.org>
Date: Tue, 6 Jun 2023 15:24:02 +0100
Subject: [PATCH] Check for overflow when resizing a heap

Ensure that the heap size calculations produce the correct answers,
and use `isc_mem_reget()` instead of calling `get` and `put`.

Closes #4122
---
 lib/isc/heap.c | 18 ++++++++----------
 1 file changed, 8 insertions(+), 10 deletions(-)

diff --git a/lib/isc/heap.c b/lib/isc/heap.c
index 7b0cc28854..816b80db87 100644
--- a/lib/isc/heap.c
+++ b/lib/isc/heap.c
@@ -26,6 +26,7 @@
 #include <isc/heap.h>
 #include <isc/magic.h>
 #include <isc/mem.h>
+#include <isc/overflow.h>
 #include <isc/string.h> /* Required for memmove. */
 #include <isc/util.h>
 
@@ -123,20 +124,17 @@ isc_heap_destroy(isc_heap_t **heapp) {
 
 static void
 resize(isc_heap_t *heap) {
-	void **new_array;
-	unsigned int new_size;
+	unsigned int new_size, new_bytes, old_bytes;
 
 	REQUIRE(VALID_HEAP(heap));
 
-	new_size = heap->size + heap->size_increment;
-	new_array = isc_mem_get(heap->mctx, new_size * sizeof(void *));
-	if (heap->array != NULL) {
-		memmove(new_array, heap->array, heap->size * sizeof(void *));
-		isc_mem_put(heap->mctx, heap->array,
-			    heap->size * sizeof(void *));
-	}
+	new_size = ISC_CHECKED_ADD(heap->size, heap->size_increment);
+	new_bytes = ISC_CHECKED_MUL(new_size, sizeof(void *));
+	old_bytes = ISC_CHECKED_MUL(heap->size, sizeof(void *));
+
 	heap->size = new_size;
-	heap->array = new_array;
+	heap->array = isc_mem_reget(heap->mctx, heap->array, old_bytes,
+				    new_bytes);
 }
 
 static void