From 9ea7639e11ddf8353aefc7a9686215438289537e Mon Sep 17 00:00:00 2001
From: Volker Lendecke <vl@samba.org>
Date: Tue, 6 Dec 2022 15:06:17 +0100
Subject: [PATCH] nss_aix: Fix Bug 15260 int overflow in winbind_nss_aix

Bug: https://bugzilla.samba.org/show_bug.cgi?id=15260
Signed-off-by: Volker Lendecke <vl@samba.org>
---
 nsswitch/winbind_nss_aix.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/nsswitch/winbind_nss_aix.c b/nsswitch/winbind_nss_aix.c
index f1f00e92a76..aeda9e7e891 100644
--- a/nsswitch/winbind_nss_aix.c
+++ b/nsswitch/winbind_nss_aix.c
@@ -357,7 +357,7 @@ static char *wb_aix_getgrset(char *user)
 	NSS_STATUS ret;
 	int i, idx;
 	char *tmpbuf;
-	int num_gids;
+	size_t num_gids;
 	gid_t *gid_list;
 	char *r_user = user;
 
@@ -385,6 +385,11 @@ static char *wb_aix_getgrset(char *user)
 	num_gids = response.data.num_entries;
 	gid_list = (gid_t *)response.extra_data.data;
 
+	if (num_gids >= SIZE_MAX/12) {
+		winbindd_free_response(&response);
+		return NULL;
+	}
+
 	/* allocate a space large enough to contruct the string */
 	tmpbuf = malloc(num_gids*12);
 	if (!tmpbuf) {
-- 
2.30.2