From fff2b1c4e7aae88b90dc26bf1cc71388243e5b62 Mon Sep 17 00:00:00 2001
From: sudden6 <sudden6@gmx.at>
Date: Mon, 21 Feb 2022 12:31:21 +0100
Subject: [PATCH] fix: out-of-memory condition by corrupted save file

Don't allocate the memory trusting the values in a toxsave file.
---
 toxcore/group.c | 19 ++++++++++---------
 1 file changed, 10 insertions(+), 9 deletions(-)

diff --git a/toxcore/group.c b/toxcore/group.c
index acfcebc1..42e12988 100644
--- a/toxcore/group.c
+++ b/toxcore/group.c
@@ -3426,15 +3426,6 @@ static uint32_t load_group(Group_c *g, const Group_Chats *g_c, const uint8_t *da
     lendian_bytes_to_host32(&g->numfrozen, data);
     data += sizeof(uint32_t);
 
-    if (g->numfrozen > 0) {
-        g->frozen = (Group_Peer *)calloc(g->numfrozen, sizeof(Group_Peer));
-
-        if (g->frozen == nullptr) {
-            // Memory allocation failure
-            return 0;
-        }
-    }
-
     g->title_len = *data;
 
     if (g->title_len > MAX_NAME_LENGTH) {
@@ -3460,6 +3451,16 @@ static uint32_t load_group(Group_c *g, const Group_Chats *g_c, const uint8_t *da
             return 0;
         }
 
+        // This is inefficient, but allows us to check data consistency before allocating memory
+        Group_Peer *tmp_frozen = (Group_Peer *)realloc(g->frozen, (j + 1) * sizeof(Group_Peer));
+
+        if (tmp_frozen == nullptr) {
+            // Memory allocation failure
+            return 0;
+        }
+
+        g->frozen = tmp_frozen;
+
         Group_Peer *peer = &g->frozen[j];
         memset(peer, 0, sizeof(Group_Peer));