From 4106c70649b08b05c0786c48197f185884d36596 Mon Sep 17 00:00:00 2001
From: Daniel Markstedt <daniel@mindani.net>
Date: Fri, 8 May 2026 09:13:50 +0200
Subject: [PATCH] CVE-2026-44070,CVE-2026-7836: libatalk/unicode: cap realloc
 and fix hextoint

Reported-by: @00redbeer
Signed-off-by: Daniel Markstedt <daniel@mindani.net>
---
 libatalk/unicode/charcnv.c | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/libatalk/unicode/charcnv.c b/libatalk/unicode/charcnv.c
index 6a0f02fab..51edac954 100644
--- a/libatalk/unicode/charcnv.c
+++ b/libatalk/unicode/charcnv.c
@@ -59,7 +59,8 @@ static atalk_iconv_t conv_handles[MAX_CHARSETS][MAX_CHARSETS];
 static char *charset_names[MAX_CHARSETS];
 static struct charset_functions *charsets[MAX_CHARSETS];
 static char hexdig[] = "0123456789abcdef";
-#define hextoint( c )   ( isdigit( c ) ? c - '0' : c + 10 - 'a' )
+#define hextoint(c) (isdigit(c) ? (c) - '0' : tolower(c) + 10 - 'a')
+#define MAX_CONVERT_SIZE (1 << 20)
 
 
 /*!
@@ -385,6 +386,12 @@ static size_t convert_string_allocate_internal(charset_t from, charset_t to,
 
     destlen = MAX(srclen, 512);
 convert:
+
+    if (destlen > MAX_CONVERT_SIZE) {
+        SAFE_FREE(ob);
+        return (size_t) -1;
+    }
+
     destlen = destlen * 2;
     outbuf = (char *)realloc(ob, destlen);