From e346d88468335ec7eb90abed90ac6c8ae2bd4d46 Mon Sep 17 00:00:00 2001
From: Tommy Le <82196633+Wingingbump@users.noreply.github.com>
Date: Sat, 9 May 2026 13:38:10 -0400
Subject: [PATCH] [programs] guard mallocAndJoin2Dir against size_t overflow

When `dir1Size + dir2Size + 2` exceeds SIZE_MAX, the sum wraps to a
small value, causing malloc() to allocate an undersized buffer and the
subsequent memcpy() calls to overflow the heap. Add a CONTROL() check
so the overflow is caught before the allocation.

Reported in #4642.
---
 programs/util.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/programs/util.c b/programs/util.c
index 652530b1223..251e884516d 100644
--- a/programs/util.c
+++ b/programs/util.c
@@ -13,6 +13,7 @@
 ******************************************/
 #include "util.h"       /* note : ensure that platform.h is included first ! */
 #include <stdlib.h>     /* malloc, realloc, free */
+#include <stdint.h>     /* SIZE_MAX */
 #include <stdio.h>      /* fprintf */
 #include <time.h>       /* clock_t, clock, CLOCKS_PER_SEC, nanosleep */
 #include <errno.h>
@@ -1212,6 +1213,8 @@ static char* mallocAndJoin2Dir(const char *dir1, const char *dir2)
         const size_t dir2Size = strlen(dir2);
         char *outDirBuffer, *buffer;
 
+        /* reject sizes that would overflow the malloc() argument */
+        CONTROL(dir1Size <= SIZE_MAX - dir2Size - 2);
         outDirBuffer = (char *) malloc(dir1Size + dir2Size + 2);
         CONTROL(outDirBuffer != NULL);