fix: out-of-memory condition by corrupted save file

Don't allocate the memory trusting the values in a toxsave file.
TokTok · Feb 21, 2022 · a8ccdb1 · a8ccdb1
1 parent 12dbafb
commit a8ccdb1
Showing 1 changed file with 8 additions and 9 deletions.
diff --git a/toxcore/group.c b/toxcore/group.c
@@ -3426,15 +3426,6 @@ static uint32_t load_group(Group_c *g, const Group_Chats *g_c, const uint8_t *da
     lendian_bytes_to_host32(&g->numfrozen, data);
     data += sizeof(uint32_t);
 
-    if (g->numfrozen > 0) {
-        g->frozen = (Group_Peer *)calloc(g->numfrozen, sizeof(Group_Peer));
-
-        if (g->frozen == nullptr) {
-            // Memory allocation failure
-            return 0;
-        }
-    }
-
     g->title_len = *data;
 
     if (g->title_len > MAX_NAME_LENGTH) {
@@ -3460,6 +3451,14 @@ static uint32_t load_group(Group_c *g, const Group_Chats *g_c, const uint8_t *da
             return 0;
         }
 
+        // This is inefficient, but allows us to check data consistency before allocating memory
+        g->frozen = (Group_Peer *)realloc(g->frozen, (j + 1) * sizeof(Group_Peer));
+
+        if (g->frozen == nullptr) {
+            // Memory allocation failure
+            return 0;
+        }
+
         Group_Peer *peer = &g->frozen[j];
         memset(peer, 0, sizeof(Group_Peer));