From owner-freebsd-bugs  Fri Jun 13 15:10:05 1997
Return-Path: <owner-bugs>
Received: (from root@localhost)
          by hub.freebsd.org (8.8.5/8.8.5) id PAA23547
          for bugs-outgoing; Fri, 13 Jun 1997 15:10:05 -0700 (PDT)
Received: (from gnats@localhost)
          by hub.freebsd.org (8.8.5/8.8.5) id PAA23539;
          Fri, 13 Jun 1997 15:10:02 -0700 (PDT)
Date: Fri, 13 Jun 1997 15:10:02 -0700 (PDT)
Message-Id: <199706132210.PAA23539@hub.freebsd.org>
To: freebsd-bugs
Cc: 
From: ac199@hwcn.org
Subject: Re: bin/3451: vasprintf() doesn't work.
Reply-To: ac199@hwcn.org
Sender: owner-bugs@FreeBSD.ORG
X-Loop: FreeBSD.org
Precedence: bulk

The following reply was made to PR bin/3451; it has been noted by GNATS.

From: ac199@hwcn.org
To: freebsd-gnats-submit@freebsd.org, Tim.Vanderhoek@X2296
Cc: peter@freebsd.org
Subject: Re: bin/3451: vasprintf() doesn't work.
Date: Fri, 13 Jun 1997 18:05:29 -0400 (EDT)

 [Cc'd to peter as the last to touch vasprintf.c]
 
 
 >                            Problem Report bin/3451
 >                                       
 >   vasprintf() doesn't work.
 >   
 >   Fix
 >          
 >
 >*** old.vasprintf.c     Tue Apr 29 21:32:00 1997
 >--- vasprintf.c Tue Apr 29 21:31:45 1997
 
 Of course, this still isn't right...
 
 [post-patch vasprintf.c]
 >--- 111,118 ----
 >        if (h.base == NULL)     /* failed to realloc in writehook */
 >                return (-1);
 >
 >        *str = realloc(h.base, (size_t)(h.size - h.left + 1));
 >+       (*str)[h.size - h.left] = '\0';
 >        if (*str == NULL)       /* failed to realloc it to actual size */
 >                *str = h.base;  /* return oversize buffer */
 >        return (ret);
 
 realloc() can fail, resulting in a null pointer dereference.  That's
 undesirable.
 
 Try, instead,
 
 *** orig.vasprintf.c	Tue Apr 29 21:32:00 1997
 --- vasprintf.c	Fri Jun 13 17:54:17 1997
 ***************
 *** 111,119 ****
   	if (h.base == NULL)	/* failed to realloc in writehook */
   		return (-1);
   
 - 	h.base[h.size - h.left] = '\0';
   	*str = realloc(h.base, (size_t)(h.size - h.left + 1));
   	if (*str == NULL)	/* failed to realloc it to actual size */
 ! 		*str = h.base;	/* return oversize buffer */
   	return (ret);
   }
 --- 111,119 ----
   	if (h.base == NULL)	/* failed to realloc in writehook */
   		return (-1);
   
   	*str = realloc(h.base, (size_t)(h.size - h.left + 1));
   	if (*str == NULL)	/* failed to realloc it to actual size */
 ! 		return (-1);
 ! 	(*str)[h.size - h.left] = '\0';
   	return (ret);
   }