Merge pull request #660 from stoeckmann/arraylist

Validate size arguments in arraylist functions.

arraylist.c

@@ -45,6 +45,8 @@ struct array_list *array_list_new2(array_list_free_fn *free_fn, int initial_size
 {
 	struct array_list *arr;
 
+	if (initial_size < 0 || (size_t)initial_size >= SIZE_T_MAX / sizeof(void *))
+		return NULL;
 	arr = (struct array_list *)malloc(sizeof(struct array_list));
 	if (!arr)
 		return NULL;
@@ -106,6 +108,8 @@ int array_list_shrink(struct array_list *arr, size_t empty_slots)
 	void *t;
 	size_t new_size;
 
+	if (empty_slots >= SIZE_T_MAX / sizeof(void *) - arr->length)
+		return -1;
 	new_size = arr->length + empty_slots;
 	if (new_size == arr->size)
 		return 0;

tests/test1.c

@@ -1,4 +1,5 @@
 #include <assert.h>
+#include <limits.h>
 #include <stddef.h>
 #include <stdio.h>
 #include <stdlib.h>
@@ -307,6 +308,27 @@ int main(int argc, char **argv)
 	}
 	printf("my_object.to_string()=%s\n", json_object_to_json_string(my_object));
 
+	json_object_put(my_array);
+	my_array = json_object_new_array_ext(INT_MIN + 1);
+	if (my_array != NULL)
+	{
+		printf("ERROR: able to allocate an array of negative size!\n");
+		fflush(stdout);
+		json_object_put(my_array);
+		my_array = NULL;
+	}
+
+#if SIZEOF_SIZE_T == SIZEOF_INT
+	my_array = json_object_new_array_ext(INT_MAX / 2 + 2);
+	if (my_array != NULL)
+	{
+		printf("ERROR: able to allocate an array of insufficient size!\n");
+		fflush(stdout);
+		json_object_put(my_array);
+		my_array = NULL;
+	}
+#endif
+
 	json_object_put(my_string);
 	json_object_put(my_int);
 	json_object_put(my_null);