From 2b14793213363381f2ee0d674242aad9863e30c0 Mon Sep 17 00:00:00 2001
From: Nikolaj Bjorner <nbjorner@microsoft.com>
Date: Wed, 14 Feb 2024 17:08:09 +0700
Subject: [PATCH] #7117

probably overflow of unsigned for large capacity
---
 src/util/chashtable.h | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/src/util/chashtable.h b/src/util/chashtable.h
index 450d2bfa454..b15d6017f77 100644
--- a/src/util/chashtable.h
+++ b/src/util/chashtable.h
@@ -161,8 +161,12 @@ class chashtable : private HashProc, private EqProc {
         unsigned curr_cellar  = (m_capacity - m_slots);
         unsigned new_slots    = m_slots * 2;
         unsigned new_cellar   = curr_cellar * 2;
+        if (new_slots < m_slots || new_cellar < curr_cellar)
+            throw default_exception("table overflow");            
         while (true) {
             unsigned new_capacity = new_slots + new_cellar;
+            if (new_capacity < new_slots)
+                throw default_exception("table overflow");
             cell * new_table      = alloc_table(new_capacity);
             cell * next_cell      = copy_table(m_table, m_slots, m_capacity,
                                                new_table, new_slots, new_capacity,
@@ -179,6 +183,8 @@ class chashtable : private HashProc, private EqProc {
                 return;
             }
             dealloc_vect(new_table, new_capacity);
+            if (2*new_cellar < new_cellar)
+                throw default_exception("table overflow");                
             new_cellar *= 2;
         }
     }