fix: the array_realloc function in ev in ev.c

[orbisai0security]

Summary

Fix high severity security issue in shadowsocksr-libev/src/libev/ev.c.

Vulnerability

Field	Value
ID	V-002
Severity	HIGH
Scanner	multi_agent_ai
Rule	V-002
File	shadowsocksr-libev/src/libev/ev.c:1946
Assessment	Confirmed exploitable
Chain Complexity	2-step

Description: The array_realloc function in ev.c takes element size and count parameters for dynamic array reallocation. The multiplication of elem * cnt to calculate allocation size uses int arithmetic which can overflow, resulting in a smaller-than-expected buffer allocation. Subsequent operations writing to this undersized buffer cause heap corruption.

Evidence

Exploitation scenario: An attacker establishes a very large number of simultaneous connections to the proxy service, causing internal watcher arrays to grow.

Scanner confirmation: multi_agent_ai rule V-002 flagged this pattern.

Production code: This file is in the production codebase, not test-only code.

Changes

• shadowsocksr-libev/src/libev/ev.c

Verification

• Build passes
• Scanner re-scan confirms fix
• LLM code review passed

Security Invariant

Property: The security boundary is maintained under adversarial input

Regression test

#include <check.h>
#include <stdlib.h>
#include <limits.h>
#include <stdint.h>

/* Declare array_realloc from ev.c */
void *array_realloc(int elem, void *base, int *cur, int cnt);

START_TEST(test_array_realloc_overflow_safety)
{
    /* Invariant: array_realloc must not allocate an undersized buffer
     * when elem * cnt would overflow int arithmetic. Either it must
     * allocate at least elem*cnt bytes or fail safely (return NULL). */

    struct {
        int elem;
        int cnt;
    } cases[] = {
        /* Exploit case: large elem and cnt that overflow when multiplied as int */
        { 65536, INT_MAX / 32 },
        /* Boundary: values just at the edge of overflow */
        { 32768, (INT_MAX / 32768) + 1 },
        /* Valid case: small allocation that should succeed */
        { 16, 64 },
    };
    int num_cases = sizeof(cases) / sizeof(cases[0]);

    for (int i = 0; i < num_cases; i++) {
        int cur = 0;
        int elem = cases[i].elem;
        int cnt = cases[i].cnt;
        int64_t required = (int64_t)elem * (int64_t)cnt;

        void *result = array_realloc(elem, NULL, &cur, cnt);

        if (required > INT_MAX || required < 0) {
            /* Overflow case: must not return a valid undersized buffer */
            /* If it returns non-NULL, cur*elem must cover the request */
            if (result != NULL) {
                int64_t allocated = (int64_t)cur * (int64_t)elem;
                ck_assert_msg(allocated >= required,
                    "Undersized allocation: needed %lld, got %lld (case %d)",
                    (long long)required, (long long)allocated, i);
                free(result);
            }
            /* Returning NULL is acceptable for overflow */
        } else {
            /* Valid case: should succeed with sufficient size */
            ck_assert_ptr_nonnull(result);
            ck_assert_int_ge(cur, cnt);
            free(result);
        }
    }
}
END_TEST

Suite *security_suite(void)
{
    Suite *s;
    TCase *tc_core;

    s = suite_create("Security");
    tc_core = tcase_create("Core");

    tcase_add_test(tc_core, test_array_realloc_overflow_safety);
    suite_add_tcase(s, tc_core);

    return s;
}

int main(void)
{
    int number_failed;
    Suite *s;
    SRunner *sr;

    s = security_suite();
    sr = srunner_create(s);

    srunner_run_all(sr, CK_NORMAL);
    number_failed = srunner_ntests_failed(sr);
    srunner_free(sr);

    return (number_failed == 0) ? EXIT_SUCCESS : EXIT_FAILURE;
}

This test guards against regressions — it's useful independent of the code change above.

---

Automated security fix by OrbisAI Security