Our recent code security fixes made malloc check ``` tor_assert(size < SIZE_T_CEILING); ``` but we didn't add a similar check to tor_realloc(). Assuming we do add it, doors pointed out another gotcha: In tor_gzip_uncompress() we ``` *out = tor_realloc(*out, out_size); stream->next_out = (unsigned char*)(*out + offset); if (out_size - offset > UINT_MAX) { log_warn(LD_BUG, "Ran over unsigned int limit of zlib while " "uncompressing."); goto err; } ``` And since the largest compressed blob we'll accept is MAX_DIR_DL_SIZE (16MBish), a compress bomb (e.g. a consensus answer) could create a string that's more than SIZE_T_CEILING yet less than UINT_MAX, thus remotely triggering the assert in tor_realloc.