lib:tdb: Add missing overflow check for num_values in pytdb.c

Error: INTEGER_OVERFLOW (CWE-190):
tdb-1.4.10/pytdb.c:401: cast_overflow: Truncation due to cast operation on "num_values" from 64 to 32 bits.
tdb-1.4.10/pytdb.c:401: overflow_sink: "num_values", which might have overflowed, is passed to "tdb_storev(self->ctx, key, values, num_values, flag)".
  399|           }
  400|
  401|->         ret = tdb_storev(self->ctx, key, values, num_values, flag);
  402|           free(values);
  403|           PyErr_TDB_ERROR_IS_ERR_RAISE(ret, self->ctx);

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>

diff --git a/lib/tdb/pytdb.c b/lib/tdb/pytdb.c
index 77c456454813d5ce499803409de395241759074c..3b1842c02c1b65666f9d3978ac4452f7521ddef0 100644 (file)
--- a/lib/tdb/pytdb.c
+++ b/lib/tdb/pytdb.c
@@ -383,6 +383,10 @@ static PyObject *obj_storev(PyTdbObject *self, PyObject *args)
                PyErr_SetFromErrno(PyExc_OverflowError);
                return NULL;
        }
+       if (num_values > INT_MAX) {
+               PyErr_SetFromErrno(PyExc_OverflowError);
+               return NULL;
+       }
        values = malloc(sizeof(TDB_DATA) * num_values);
        if (values == NULL) {
                PyErr_NoMemory();
@@ -398,7 +402,7 @@ static PyObject *obj_storev(PyTdbObject *self, PyObject *args)
                values[i] = value;
        }
 
-       ret = tdb_storev(self->ctx, key, values, num_values, flag);
+       ret = tdb_storev(self->ctx, key, values, (int)num_values, flag);
        free(values);
        PyErr_TDB_ERROR_IS_ERR_RAISE(ret, self->ctx);
        Py_RETURN_NONE;