From owner-svn-src-head@freebsd.org  Wed Mar 22 17:37:49 2017
Return-Path: <owner-svn-src-head@freebsd.org>
Delivered-To: svn-src-head@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 183C3D18ABF;
 Wed, 22 Mar 2017 17:37:49 +0000 (UTC) (envelope-from cem@FreeBSD.org)
Received: from repo.freebsd.org (repo.freebsd.org
 [IPv6:2610:1c1:1:6068::e6a:0])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id DC0C01038;
 Wed, 22 Mar 2017 17:37:48 +0000 (UTC) (envelope-from cem@FreeBSD.org)
Received: from repo.freebsd.org ([127.0.1.37])
 by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id v2MHbmo3024061;
 Wed, 22 Mar 2017 17:37:48 GMT (envelope-from cem@FreeBSD.org)
Received: (from cem@localhost)
 by repo.freebsd.org (8.15.2/8.15.2/Submit) id v2MHblI5024060;
 Wed, 22 Mar 2017 17:37:47 GMT (envelope-from cem@FreeBSD.org)
Message-Id: <201703221737.v2MHblI5024060@repo.freebsd.org>
X-Authentication-Warning: repo.freebsd.org: cem set sender to cem@FreeBSD.org
 using -f
From: Conrad Meyer <cem@FreeBSD.org>
Date: Wed, 22 Mar 2017 17:37:47 +0000 (UTC)
To: src-committers@freebsd.org, svn-src-all@freebsd.org,
 svn-src-head@freebsd.org
Subject: svn commit: r315720 - head/lib/libc/gen
X-SVN-Group: head
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-BeenThere: svn-src-head@freebsd.org
X-Mailman-Version: 2.1.23
Precedence: list
List-Id: SVN commit messages for the src tree for head/-current
 <svn-src-head.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/svn-src-head>,
 <mailto:svn-src-head-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-head/>
List-Post: <mailto:svn-src-head@freebsd.org>
List-Help: <mailto:svn-src-head-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/svn-src-head>,
 <mailto:svn-src-head-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 22 Mar 2017 17:37:49 -0000

Author: cem
Date: Wed Mar 22 17:37:47 2017
New Revision: 315720
URL: https://svnweb.freebsd.org/changeset/base/315720

Log:
  scandir: Fix NULL dereference, uninitialized value use in error case
  
  If opendir succeeds but malloc fails, numitems was used uninitialized in
  error handling under the 'fail' label.  If it happened to have a non-zero
  value, the NULL 'names' was dereferenced.
  
  Reported by:	Coverity
  CIDs:		1329566, 1372625
  Sponsored by:	Dell EMC Isilon

Modified:
  head/lib/libc/gen/scandir.c

Modified: head/lib/libc/gen/scandir.c
==============================================================================
--- head/lib/libc/gen/scandir.c	Wed Mar 22 17:33:57 2017	(r315719)
+++ head/lib/libc/gen/scandir.c	Wed Mar 22 17:37:47 2017	(r315720)
@@ -89,12 +89,12 @@ scandir(const char *dirname, struct dire
 	if ((dirp = opendir(dirname)) == NULL)
 		return(-1);
 
+	numitems = 0;
 	arraysz = 32;	/* initial estimate of the array size */
 	names = (struct dirent **)malloc(arraysz * sizeof(struct dirent *));
 	if (names == NULL)
 		goto fail;
 
-	numitems = 0;
 	while ((d = readdir(dirp)) != NULL) {
 		if (select != NULL && !SELECT(d))
 			continue;	/* just selected names */