From 58bb106c93e3b3618c01fb337d488b1c6ca85c85 Mon Sep 17 00:00:00 2001
From: Guilherme Amadio <amadio@cern.ch>
Date: Tue, 26 Nov 2024 11:59:35 +0100
Subject: [PATCH] [Secztn] Fix integer overflow check in DecodeUrl()

Using pointers in expressions that may cause overflow leads to
undefined behavior. See also https://lwn.net/Articles/278137/
---
 src/XrdSecztn/XrdSecztn.cc | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/src/XrdSecztn/XrdSecztn.cc b/src/XrdSecztn/XrdSecztn.cc
index 036baed646e..2054d6abbb3 100644
--- a/src/XrdSecztn/XrdSecztn.cc
+++ b/src/XrdSecztn/XrdSecztn.cc
@@ -28,6 +28,7 @@
 #include <cstdint>
 #include <cstdlib>
 #include <cstring>
+#include <limits>
 
 #ifndef __FreeBSD__
 #include <alloca.h>
@@ -81,7 +82,10 @@ namespace
 int DecodeUrl(const char *decode, size_t num_decode, char *out, size_t &num_out)
 {
   // No integer overflows please.
-  if ((decode + num_decode) < decode || (out + num_out) < out)
+  if (num_decode > std::numeric_limits<size_t>::max() - (size_t)decode)
+    return 1;
+
+  if (num_out > std::numeric_limits<size_t>::max() - (size_t)out)
     return 1;
 
   if (num_out < DecodeBytesNeeded(num_decode))