From 7e139125e26d4c5e4262cf37db0ed3ab86440c42 Mon Sep 17 00:00:00 2001
From: Takatoshi Kondo <redboltz@gmail.com>
Date: Thu, 29 Dec 2016 12:13:14 +0900
Subject: [PATCH] Fixed array and map size overflow.

---
 include/msgpack/v1/unpack.hpp | 12 ++++++++++--
 include/msgpack/v2/unpack.hpp | 12 ++++++++++--
 2 files changed, 20 insertions(+), 4 deletions(-)

diff --git a/include/msgpack/v1/unpack.hpp b/include/msgpack/v1/unpack.hpp
index 34aca95e..97448c48 100644
--- a/include/msgpack/v1/unpack.hpp
+++ b/include/msgpack/v1/unpack.hpp
@@ -203,7 +203,11 @@ struct unpack_array {
         if (n > u.limit().array()) throw msgpack::array_size_overflow("array size overflow");
         o.type = msgpack::type::ARRAY;
         o.via.array.size = 0;
-        o.via.array.ptr = static_cast<msgpack::object*>(u.zone().allocate_align(n*sizeof(msgpack::object)));
+        size_t size = n*sizeof(msgpack::object);
+        if (size / sizeof(msgpack::object) != n) {
+            throw msgpack::array_size_overflow("array size overflow");
+        }
+        o.via.array.ptr = static_cast<msgpack::object*>(u.zone().allocate_align(size));
     }
 };
 
@@ -221,7 +225,11 @@ struct unpack_map {
         if (n > u.limit().map()) throw msgpack::map_size_overflow("map size overflow");
         o.type = msgpack::type::MAP;
         o.via.map.size = 0;
-        o.via.map.ptr = static_cast<msgpack::object_kv*>(u.zone().allocate_align(n*sizeof(msgpack::object_kv)));
+        size_t size = n*sizeof(msgpack::object_kv);
+        if (size / sizeof(msgpack::object_kv) != n) {
+            throw msgpack::map_size_overflow("map size overflow");
+        }
+        o.via.map.ptr = static_cast<msgpack::object_kv*>(u.zone().allocate_align(size));
     }
 };
 
diff --git a/include/msgpack/v2/unpack.hpp b/include/msgpack/v2/unpack.hpp
index 227d1c77..bef9ec1f 100644
--- a/include/msgpack/v2/unpack.hpp
+++ b/include/msgpack/v2/unpack.hpp
@@ -215,8 +215,12 @@ public:
             obj->via.array.ptr = MSGPACK_NULLPTR;
         }
         else {
+            size_t size = num_elements*sizeof(msgpack::object);
+            if (size / sizeof(msgpack::object) != num_elements) {
+                throw msgpack::array_size_overflow("array size overflow");
+            }
             obj->via.array.ptr =
-                static_cast<msgpack::object*>(m_zone->allocate_align(num_elements*sizeof(msgpack::object)));
+                static_cast<msgpack::object*>(m_zone->allocate_align(size));
         }
         m_stack.push_back(obj->via.array.ptr);
         return true;
@@ -242,8 +246,12 @@ public:
             obj->via.map.ptr = MSGPACK_NULLPTR;
         }
         else {
+            size_t size = num_kv_pairs*sizeof(msgpack::object_kv);
+            if (size / sizeof(msgpack::object_kv) != num_kv_pairs) {
+                throw msgpack::map_size_overflow("map size overflow");
+            }
             obj->via.map.ptr =
-                static_cast<msgpack::object_kv*>(m_zone->allocate_align(num_kv_pairs*sizeof(msgpack::object_kv)));
+                static_cast<msgpack::object_kv*>(m_zone->allocate_align(size));
         }
         m_stack.push_back(reinterpret_cast<msgpack::object*>(obj->via.map.ptr));
         return true;