From bb6b9b3f25fbafeb12dac68574d9f677b09880e3 Mon Sep 17 00:00:00 2001
From: Sebastian Pipping <sebastian@pipping.org>
Date: Sun, 28 Apr 2024 21:57:27 +0200
Subject: [PATCH] Protect against integer overflow in ComposeQueryMallocExMm

Requires string input that is longer than INT_MAX / 6 - 1 to exploit.
---
 src/UriQuery.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/src/UriQuery.c b/src/UriQuery.c
index b2734bc2..4885ff05 100644
--- a/src/UriQuery.c
+++ b/src/UriQuery.c
@@ -177,10 +177,13 @@ int URI_FUNC(ComposeQueryMallocExMm)(URI_CHAR ** dest,
 	if (res != URI_SUCCESS) {
 		return res;
 	}
+	if (charsRequired == INT_MAX) {
+	    return URI_ERROR_MALLOC;
+	}
 	charsRequired++;
 
 	/* Allocate space */
-	queryString = memory->malloc(memory, charsRequired * sizeof(URI_CHAR));
+	queryString = memory->calloc(memory, charsRequired, sizeof(URI_CHAR));
 	if (queryString == NULL) {
 		return URI_ERROR_MALLOC;
 	}