guard integer overflow and unbounded sizes

JeremiahM37 · JeremiahM37 · commit 6f522547ea3a · 2026-05-05T16:53:39.000Z
diff --git a/src/json/centijson_sax.c b/src/json/centijson_sax.c
@@ -311,7 +311,12 @@ json_buf_append(JSON_PARSER* parser, const unsigned char* data, size_t size)
 {
     if(parser->buf_used + size > parser->buf_alloced) {
         unsigned char* new_buf;
-        size_t new_alloced = (parser->buf_used + size) * 2;
+        size_t new_alloced;
+        if(parser->buf_used > SIZE_MAX / 2 || size > SIZE_MAX / 2 - parser->buf_used) {
+            json_raise(parser, JSON_ERR_OUTOFMEMORY);
+            WOLFSENTRY_RETURN_VALUE(-1);
+        }
+        new_alloced = (parser->buf_used + size) * 2;
 
         new_buf = (unsigned char *)realloc(parser->buf, new_alloced);
         if(new_buf == NULL) {
diff --git a/src/routes.c b/src/routes.c
@@ -1955,6 +1955,8 @@ static wolfsentry_errcode_t wolfsentry_route_lookup_1(
     const size_t addr_buf_size = WOLFSENTRY_BITS_TO_BYTES(remote->addr_len) + WOLFSENTRY_BITS_TO_BYTES(local->addr_len);
     struct wolfsentry_route *target;
 
+    if (addr_buf_size > (size_t)WOLFSENTRY_MAX_ADDR_BYTES * 2)
+        WOLFSENTRY_ERROR_RETURN(NUMERIC_ARG_TOO_BIG);
     target = (struct wolfsentry_route *)alloca(sizeof(*target) + addr_buf_size);
     #define LOOKUP_TARGET target
 #endif
@@ -4012,24 +4014,26 @@ WOLFSENTRY_API wolfsentry_errcode_t wolfsentry_route_flag_assoc_by_name(const ch
 
 static wolfsentry_errcode_t ws_itoa(int i, unsigned char **out, size_t *spc) {
     int out_chars;
-    int digit_thresh;
+    unsigned int u;
+    unsigned int digit_thresh;
     int neg;
     if (i < 0) {
         neg = 1;
-        i = -i;
+        u = -(unsigned int)i;
         out_chars = 2;
     } else {
         neg = 0;
+        u = (unsigned int)i;
         out_chars = 1;
     }
     for (digit_thresh = 10; ; digit_thresh *= 10) {
-        if (i >= digit_thresh)
+        if (u >= digit_thresh)
             ++out_chars;
         else {
             digit_thresh /= 10;
             break;
         }
-        if (digit_thresh == 1000000000)
+        if (digit_thresh == 1000000000U)
             break;
     }
     if (*spc < (size_t)out_chars)
@@ -4038,8 +4042,8 @@ static wolfsentry_errcode_t ws_itoa(int i, unsigned char **out, size_t *spc) {
     if (neg)
         *(*out)++ = '-';
     while (digit_thresh >= 1) {
-        int quotient = i / digit_thresh;
-        i %= digit_thresh;
+        unsigned int quotient = u / digit_thresh;
+        u %= digit_thresh;
         digit_thresh /= 10;
         *(*out)++ = (unsigned char)('0' + quotient);
     }
diff --git a/src/wolfsentry_util.c b/src/wolfsentry_util.c
@@ -3617,6 +3617,8 @@ WOLFSENTRY_API wolfsentry_errcode_t wolfsentry_eventconfig_check(
              ((config->route_private_data_alignment & (config->route_private_data_alignment - 1)) != 0) ||
              (config->route_private_data_alignment > config->route_private_data_size)))
             WOLFSENTRY_ERROR_RETURN(INVALID_ARG);
+        if (config->route_private_data_size > MAX_UINT_OF(((struct wolfsentry_route *)0)->data_addr_offset))
+            WOLFSENTRY_ERROR_RETURN(NUMERIC_ARG_TOO_BIG);
     }
 
     if (config->route_private_data_alignment > 0) {

Original file line number	Diff line number	Diff line change
`@@ -3617,6 +3617,8 @@ WOLFSENTRY_API wolfsentry_errcode_t wolfsentry_eventconfig_check(`
`3617`	`3617`	`((config->route_private_data_alignment & (config->route_private_data_alignment - 1)) != 0) \|\|`
`3618`	`3618`	`(config->route_private_data_alignment > config->route_private_data_size)))`
`3619`	`3619`	`WOLFSENTRY_ERROR_RETURN(INVALID_ARG);`
	`3620`	`+ if (config->route_private_data_size > MAX_UINT_OF(((struct wolfsentry_route *)0)->data_addr_offset))`
	`3621`	`+ WOLFSENTRY_ERROR_RETURN(NUMERIC_ARG_TOO_BIG);`
`3620`	`3622`	`}`
`3621`	`3623`
`3622`	`3624`	`if (config->route_private_data_alignment > 0) {`