Date: Wed, 13 Jul 2005 03:37:36 +0200 (CEST) From: Dan Lukes <dan@obluda.cz> To: FreeBSD-gnats-submit@FreeBSD.org Subject: bin/83363: [ PATCH ] Improper handling of malloc's failures within libedit library Message-ID: <200507130137.j6D1baG3019767@kulesh.obluda.cz> Resent-Message-ID: <200507130140.j6D1eFYq019154@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 83363
>Category: bin
>Synopsis: [ PATCH ] Improper handling of malloc's failures within libedit library
>Confidential: no
>Severity: serious
>Priority: low
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Wed Jul 13 01:40:15 GMT 2005
>Closed-Date:
>Last-Modified:
>Originator: Dan Lukes
>Release: FreeBSD 5.4-STABLE i386
>Organization:
Obludarium
>Environment:
System: FreeBSD 5.4-STABLE #8: Sat Jul 9 16:31:08 CEST 2005 i386
lib/libedit/tokenizer.c,v 1.6 2001/10/01 23:00:29 obrien
lib/libedit/history.c,v 1.7 2002/10/14 10:42:38 tjr
>Description:
Improper handling of malloc's failures
>How-To-Repeat:
>Fix:
--- patch begins here ---
--- lib/libedit/history.c.ORIG Thu Oct 24 01:23:09 2002
+++ lib/libedit/history.c Wed Jul 13 02:42:01 2005
@@ -37,7 +37,7 @@
*/
#if !defined(lint) && !defined(SCCSID)
-static char sccsid[] = "@(#)history.c 8.1 (Berkeley) 6/4/93";
+static volatile char sccsid[] = "@(#)history.c 8.1 (Berkeley) 6/4/93";
#endif /* not lint && not SCCSID */
#include <sys/cdefs.h>
__FBSDID("$FreeBSD: src/lib/libedit/history.c,v 1.7 2002/10/14 10:42:38 tjr Exp $");
@@ -85,9 +85,10 @@
#define HENTER(h, ev, str) (*(h)->h_enter)((h)->h_ref, ev, str)
#define HADD(h, ev, str) (*(h)->h_add)((h)->h_ref, ev, str)
-#define h_malloc(a) malloc(a)
-#define h_realloc(a, b) realloc((a), (b))
-#define h_free(a) free(a)
+#define h_malloc(a) malloc(a)
+#define h_realloc(a, b) realloc((a), (b))
+#define h_reallocf(a, b) reallocf((a), (b))
+#define h_free(a) free(a)
private int history_setsize(History *, HistEvent *, int);
@@ -374,12 +375,16 @@
{
h->cursor = (hentry_t *) h_malloc(sizeof(hentry_t));
- if (h->cursor)
- h->cursor->ev.str = strdup(str);
- if (!h->cursor || !h->cursor->ev.str) {
+ if (!h->cursor) {
he_seterrev(ev, _HE_MALLOC_FAILED);
return (-1);
- }
+ };
+ h->cursor->ev.str = strdup(str);
+ if (!h->cursor->ev.str) {
+ h_free(h->cursor);
+ he_seterrev(ev, _HE_MALLOC_FAILED);
+ return (-1);
+ };
h->cursor->ev.num = ++h->eventid;
h->cursor->next = h->list.next;
h->cursor->prev = &h->list;
@@ -423,15 +428,17 @@
{
history_t *h = (history_t *) h_malloc(sizeof(history_t));
- if (n <= 0)
- n = 0;
- h->eventid = 0;
- h->cur = 0;
- h->max = n;
- h->list.next = h->list.prev = &h->list;
- h->list.ev.str = NULL;
- h->list.ev.num = 0;
- h->cursor = &h->list;
+ if (h != NULL) {
+ if (n <= 0)
+ n = 0;
+ h->eventid = 0;
+ h->cur = 0;
+ h->max = n;
+ h->list.next = h->list.prev = &h->list;
+ h->list.ev.str = NULL;
+ h->list.ev.num = 0;
+ h->cursor = &h->list;
+ };
*p = (ptr_t) h;
}
@@ -464,7 +471,14 @@
History *h = (History *) h_malloc(sizeof(History));
HistEvent ev;
+ if (h == NULL)
+ return(NULL);
+
history_def_init(&h->h_ref, &ev, 0);
+ if (h->h_ref == NULL) {
+ h_free(h);
+ return(NULL);
+ }
h->h_ent = -1;
h->h_next = history_def_next;
h->h_first = history_def_first;
@@ -475,7 +489,6 @@
h->h_clear = history_def_clear;
h->h_enter = history_def_enter;
h->h_add = history_def_add;
-
return (h);
}
@@ -589,7 +602,7 @@
FILE *fp;
char *line;
size_t sz, max_size;
- char *ptr;
+ char *ptr = NULL;
int i = -1;
HistEvent ev;
@@ -603,6 +616,8 @@
goto done;
ptr = h_malloc(max_size = 1024);
+ if (ptr == NULL)
+ goto done;
for (i = 0; (line = fgetln(fp, &sz)) != NULL; i++) {
char c = line[sz];
@@ -619,9 +634,9 @@
line[sz] = c;
HENTER(h, &ev, ptr);
}
- h_free(ptr);
done:
+ h_free(ptr);
(void) fclose(fp);
return (i);
}
@@ -637,7 +652,7 @@
HistEvent ev;
int i = 0, retval;
size_t len, max_size;
- char *ptr;
+ char *ptr = NULL;
if ((fp = fopen(fname, "w")) == NULL)
return (-1);
@@ -645,17 +660,22 @@
(void) fchmod(fileno(fp), S_IRUSR|S_IWUSR);
(void) fputs(hist_cookie, fp);
ptr = h_malloc(max_size = 1024);
+ if (ptr == NULL)
+ goto done;
for (retval = HLAST(h, &ev);
retval != -1;
retval = HPREV(h, &ev), i++) {
len = strlen(ev.str) * 4;
if (len >= max_size) {
max_size = (len + 1023) & 1023;
- ptr = h_realloc(ptr, max_size);
+ ptr = h_reallocf(ptr, max_size);
+ if (ptr == NULL)
+ goto done;
}
(void) strvis(ptr, ev.str, VIS_WHITE);
(void) fprintf(fp, "%s\n", ptr);
}
+done:
h_free(ptr);
(void) fclose(fp);
return (i);
--- lib/libedit/tokenizer.c.ORIG Mon Jul 1 22:53:03 2002
+++ lib/libedit/tokenizer.c Wed Jul 13 02:42:44 2005
@@ -37,7 +37,7 @@
*/
#if !defined(lint) && !defined(SCCSID)
-static char sccsid[] = "@(#)tokenizer.c 8.1 (Berkeley) 6/4/93";
+static volatile char sccsid[] = "@(#)tokenizer.c 8.1 (Berkeley) 6/4/93";
#endif /* not lint && not SCCSID */
#include <sys/cdefs.h>
__FBSDID("$FreeBSD: src/lib/libedit/tokenizer.c,v 1.6 2001/10/01 23:00:29 obrien Exp $");
@@ -108,22 +108,24 @@
{
Tokenizer *tok = (Tokenizer *) tok_malloc(sizeof(Tokenizer));
+ if (tok == NULL)
+ return(NULL);
tok->ifs = strdup(ifs ? ifs : IFS);
tok->argc = 0;
tok->amax = AINCR;
tok->argv = (char **) tok_malloc(sizeof(char *) * tok->amax);
- if (tok->argv == NULL)
- return (NULL);
- tok->argv[0] = NULL;
tok->wspace = (char *) tok_malloc(WINCR);
- if (tok->wspace == NULL)
- return (NULL);
+ if (tok->ifs == NULL || tok->argv == NULL || tok->wspace == NULL) {
+ tok_end(tok);
+ return(NULL);
+ }
+ tok->argv[0] = NULL;
tok->wmax = tok->wspace + WINCR;
tok->wstart = tok->wspace;
tok->wptr = tok->wspace;
tok->flags = 0;
tok->quote = Q_none;
-
+
return (tok);
}
--- patch ends here ---
>Release-Note:
>Audit-Trail:
>Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200507130137.j6D1baG3019767>