From f895d5ab82cea1b4f2788f3b1233d5d94ba78f4a Mon Sep 17 00:00:00 2001
From: Magnus Olsen <magnus@greatlord.com>
Date: Sat, 3 Jun 2006 17:18:09 +0000
Subject: [PATCH] Fix overflow caltions bugs in varus memmory functions, Thanks
 irc : Elrond (from TNG) for fixing calloc overflow bug.

svn path=/trunk/; revision=22196
---
 reactos/lib/crt/stdlib/malloc.c | 44 +++++++++++++++++++++++++--------
 1 file changed, 34 insertions(+), 10 deletions(-)

diff --git a/reactos/lib/crt/stdlib/malloc.c b/reactos/lib/crt/stdlib/malloc.c
index 1ce9c4ae7cb..44832f767b6 100644
--- a/reactos/lib/crt/stdlib/malloc.c
+++ b/reactos/lib/crt/stdlib/malloc.c
@@ -36,10 +36,17 @@ extern HANDLE hHeap;
  */
 void* malloc(size_t _size)
 {
+   size_t nSize;
+     
    if ( _size == 0)
        return NULL;
-         
-   return HeapAlloc(hHeap, 0, ROUND_SIZE(_size));
+  
+   nSize = ROUND_SIZE(_size);
+   
+   if (nSize<_size) 
+       return NULL;     
+       
+   return HeapAlloc(hHeap, 0, nSize);
 }
 
 /*
@@ -54,11 +61,14 @@ void free(void* _ptr)
  * @implemented
  */
 void* calloc(size_t _nmemb, size_t _size)
-{
-   if ( _size == 0)
-       return NULL;
-          
-   return HeapAlloc(hHeap, HEAP_ZERO_MEMORY, ROUND_SIZE(_nmemb*_size) );
+{   
+   size_t nSize = _nmemb * _size;
+   size_t cSize = ROUND_SIZE(nSize);
+      
+   if ((_nmemb > ((size_t)-1 / _size)  || (nSize == 0) || (cSize<nSize)) 
+      return NULL;
+               
+   return HeapAlloc(hHeap, HEAP_ZERO_MEMORY, cSize );
 }
 
 /*
@@ -66,11 +76,18 @@ void* calloc(size_t _nmemb, size_t _size)
  */
 void* realloc(void* _ptr, size_t _size)
 {
+   size_t nSize;
+       
    if ( _size == 0)
        return NULL;
-          
+   
+   nSize = ROUND_SIZE(_size);
+   
+   if (nSize<_size)
+       return NULL;
+               
    if (!_ptr) return malloc(_size);
-   if (_size) return HeapReAlloc(hHeap, 0, _ptr, ROUND_SIZE(_size));
+   if (_size) return HeapReAlloc(hHeap, 0, _ptr, nSize);
    free(_ptr);
    return NULL;
 }
@@ -80,10 +97,17 @@ void* realloc(void* _ptr, size_t _size)
  */
 void* _expand(void* _ptr, size_t _size)
 {
+   size_t nSize;
+      
    if ( _size == 0)
        return NULL;
+
+   nSize = ROUND_SIZE(_size);
+   
+   if (nSize<_size)
+       return NULL;
           
-   return HeapReAlloc(hHeap, HEAP_REALLOC_IN_PLACE_ONLY, _ptr, ROUND_SIZE(_size));
+   return HeapReAlloc(hHeap, HEAP_REALLOC_IN_PLACE_ONLY, _ptr, nSize);
 }
 
 /*