From 85f4b8f7d9314bb73c06367ff83c3b46c3ea9433 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Quang=20Nguy=E1=BB=85n?=
 <quangnh89@users.noreply.github.com>
Date: Mon, 20 Mar 2017 19:13:14 +0700
Subject: [PATCH] Fix an integer overflow issue (#871)

* provide a validity check to prevent against Integer overflow conditions

* fix some style issues.

* provide a validity check in malloc() function to prevent against integer overflow conditions

* missing Ntintsafe.h

* use tabs for indentation
---
 contrib/windows_kernel/libc.cpp | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/contrib/windows_kernel/libc.cpp b/contrib/windows_kernel/libc.cpp
index 101b26ac..b5b7d5dc 100644
--- a/contrib/windows_kernel/libc.cpp
+++ b/contrib/windows_kernel/libc.cpp
@@ -5,6 +5,7 @@
 
 #include "libc.h"
 #include <memory>
+#include <Ntintsafe.h>
 
 #pragma warning(push)               
 #pragma warning (disable : 4565)
@@ -33,10 +34,17 @@ __cdecl malloc(
 	__in size_t size
 	)
 {
+	/* A specially crafted size value can trigger the overflow.
+	If the sum in a value that overflows or underflows the capacity of the type,
+	the function returns nullptr. */
+	size_t number_of_bytes = 0;
+	if (!NT_SUCCESS(RtlSizeTAdd(size, sizeof(MEMBLOCK), &number_of_bytes))){
+		return nullptr;
+	}
 	MEMBLOCK *pBlock = static_cast<MEMBLOCK*>(
 		ExAllocatePoolWithTag(
 			NonPagedPoolNxCacheAligned, 
-			size + sizeof(MEMBLOCK), 
+			number_of_bytes, 
 			_LIBC_POOL_TAG));
 
 	if (nullptr == pBlock)