From bfac6031ab075834183c9f18b28363d11b99e44a Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Tue, 7 Dec 2010 17:01:04 +0100
Subject: Add overflow check to SAFEALIGN_COPY_*_CHECK macros

CVE-2010-4341
bnc#660481

diff --git a/src/util/util.h b/src/util/util.h
index 7c35550..50c5fe2 100644
--- a/src/util/util.h
+++ b/src/util/util.h
@@ -207,12 +207,14 @@ safealign_memcpy(void *dest, const void *src, size_t n, size_t *counter)
     SAFEALIGN_SET_VALUE(dest, value, uint16_t, pctr)
 
 #define SAFEALIGN_COPY_UINT32_CHECK(dest, src, len, pctr) do { \
-    if ((*(pctr) + sizeof(uint32_t)) > (len)) return EINVAL; \
+    if ((*(pctr) + sizeof(uint32_t)) > (len) || \
+        SIZE_T_OVERFLOW(*(pctr), sizeof(uint32_t))) return EINVAL; \
     safealign_memcpy(dest, src, sizeof(uint32_t), pctr); \
 } while(0)
 
 #define SAFEALIGN_COPY_INT32_CHECK(dest, src, len, pctr) do { \
-    if ((*(pctr) + sizeof(int32_t)) > (len)) return EINVAL; \
+    if ((*(pctr) + sizeof(int32_t)) > (len) || \
+        SIZE_T_OVERFLOW(*(pctr), sizeof(int32_t))) return EINVAL; \
     safealign_memcpy(dest, src, sizeof(int32_t), pctr); \
 } while(0)
 
-- 
1.7.3.2