From owner-freebsd-bugs@FreeBSD.ORG Wed Jul 13 01:40:19 2005 Return-Path: X-Original-To: freebsd-bugs@hub.freebsd.org Delivered-To: freebsd-bugs@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8FE6816A41F for ; Wed, 13 Jul 2005 01:40:16 +0000 (GMT) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id EDF3343D4C for ; Wed, 13 Jul 2005 01:40:15 +0000 (GMT) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.3/8.13.3) with ESMTP id j6D1eFSM019158 for ; Wed, 13 Jul 2005 01:40:15 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.13.3/8.13.1/Submit) id j6D1eFYq019154; Wed, 13 Jul 2005 01:40:15 GMT (envelope-from gnats) Resent-Date: Wed, 13 Jul 2005 01:40:15 GMT Resent-Message-Id: <200507130140.j6D1eFYq019154@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer) Resent-To: freebsd-bugs@FreeBSD.org Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org, Dan Lukes Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E800116A41C for ; Wed, 13 Jul 2005 01:37:39 +0000 (GMT) (envelope-from dan@kulesh.obluda.cz) Received: from kulesh.obluda.cz (kulesh.obluda.cz [193.179.22.243]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5557643D45 for ; Wed, 13 Jul 2005 01:37:38 +0000 (GMT) (envelope-from dan@kulesh.obluda.cz) Received: from kulesh.obluda.cz (localhost.eunet.cz [127.0.0.1]) by kulesh.obluda.cz (8.13.3/8.13.3) with ESMTP id j6D1baqb019768 for ; Wed, 13 Jul 2005 03:37:36 +0200 (CEST) (envelope-from dan@kulesh.obluda.cz) Received: (from root@localhost) by kulesh.obluda.cz (8.13.3/8.13.1/Submit) id j6D1baG3019767; Wed, 13 Jul 2005 03:37:36 +0200 (CEST) (envelope-from dan) Message-Id: <200507130137.j6D1baG3019767@kulesh.obluda.cz> Date: Wed, 13 Jul 2005 03:37:36 +0200 (CEST) From: Dan Lukes To: FreeBSD-gnats-submit@FreeBSD.org X-Send-Pr-Version: 3.113 Cc: Subject: bin/83363: [ PATCH ] Improper handling of malloc's failures within libedit library X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Dan Lukes List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 13 Jul 2005 01:40:19 -0000 >Number: 83363 >Category: bin >Synopsis: [ PATCH ] Improper handling of malloc's failures within libedit library >Confidential: no >Severity: serious >Priority: low >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Wed Jul 13 01:40:15 GMT 2005 >Closed-Date: >Last-Modified: >Originator: Dan Lukes >Release: FreeBSD 5.4-STABLE i386 >Organization: Obludarium >Environment: System: FreeBSD 5.4-STABLE #8: Sat Jul 9 16:31:08 CEST 2005 i386 lib/libedit/tokenizer.c,v 1.6 2001/10/01 23:00:29 obrien lib/libedit/history.c,v 1.7 2002/10/14 10:42:38 tjr >Description: Improper handling of malloc's failures >How-To-Repeat: >Fix: --- patch begins here --- --- lib/libedit/history.c.ORIG Thu Oct 24 01:23:09 2002 +++ lib/libedit/history.c Wed Jul 13 02:42:01 2005 @@ -37,7 +37,7 @@ */ #if !defined(lint) && !defined(SCCSID) -static char sccsid[] = "@(#)history.c 8.1 (Berkeley) 6/4/93"; +static volatile char sccsid[] = "@(#)history.c 8.1 (Berkeley) 6/4/93"; #endif /* not lint && not SCCSID */ #include __FBSDID("$FreeBSD: src/lib/libedit/history.c,v 1.7 2002/10/14 10:42:38 tjr Exp $"); @@ -85,9 +85,10 @@ #define HENTER(h, ev, str) (*(h)->h_enter)((h)->h_ref, ev, str) #define HADD(h, ev, str) (*(h)->h_add)((h)->h_ref, ev, str) -#define h_malloc(a) malloc(a) -#define h_realloc(a, b) realloc((a), (b)) -#define h_free(a) free(a) +#define h_malloc(a) malloc(a) +#define h_realloc(a, b) realloc((a), (b)) +#define h_reallocf(a, b) reallocf((a), (b)) +#define h_free(a) free(a) private int history_setsize(History *, HistEvent *, int); @@ -374,12 +375,16 @@ { h->cursor = (hentry_t *) h_malloc(sizeof(hentry_t)); - if (h->cursor) - h->cursor->ev.str = strdup(str); - if (!h->cursor || !h->cursor->ev.str) { + if (!h->cursor) { he_seterrev(ev, _HE_MALLOC_FAILED); return (-1); - } + }; + h->cursor->ev.str = strdup(str); + if (!h->cursor->ev.str) { + h_free(h->cursor); + he_seterrev(ev, _HE_MALLOC_FAILED); + return (-1); + }; h->cursor->ev.num = ++h->eventid; h->cursor->next = h->list.next; h->cursor->prev = &h->list; @@ -423,15 +428,17 @@ { history_t *h = (history_t *) h_malloc(sizeof(history_t)); - if (n <= 0) - n = 0; - h->eventid = 0; - h->cur = 0; - h->max = n; - h->list.next = h->list.prev = &h->list; - h->list.ev.str = NULL; - h->list.ev.num = 0; - h->cursor = &h->list; + if (h != NULL) { + if (n <= 0) + n = 0; + h->eventid = 0; + h->cur = 0; + h->max = n; + h->list.next = h->list.prev = &h->list; + h->list.ev.str = NULL; + h->list.ev.num = 0; + h->cursor = &h->list; + }; *p = (ptr_t) h; } @@ -464,7 +471,14 @@ History *h = (History *) h_malloc(sizeof(History)); HistEvent ev; + if (h == NULL) + return(NULL); + history_def_init(&h->h_ref, &ev, 0); + if (h->h_ref == NULL) { + h_free(h); + return(NULL); + } h->h_ent = -1; h->h_next = history_def_next; h->h_first = history_def_first; @@ -475,7 +489,6 @@ h->h_clear = history_def_clear; h->h_enter = history_def_enter; h->h_add = history_def_add; - return (h); } @@ -589,7 +602,7 @@ FILE *fp; char *line; size_t sz, max_size; - char *ptr; + char *ptr = NULL; int i = -1; HistEvent ev; @@ -603,6 +616,8 @@ goto done; ptr = h_malloc(max_size = 1024); + if (ptr == NULL) + goto done; for (i = 0; (line = fgetln(fp, &sz)) != NULL; i++) { char c = line[sz]; @@ -619,9 +634,9 @@ line[sz] = c; HENTER(h, &ev, ptr); } - h_free(ptr); done: + h_free(ptr); (void) fclose(fp); return (i); } @@ -637,7 +652,7 @@ HistEvent ev; int i = 0, retval; size_t len, max_size; - char *ptr; + char *ptr = NULL; if ((fp = fopen(fname, "w")) == NULL) return (-1); @@ -645,17 +660,22 @@ (void) fchmod(fileno(fp), S_IRUSR|S_IWUSR); (void) fputs(hist_cookie, fp); ptr = h_malloc(max_size = 1024); + if (ptr == NULL) + goto done; for (retval = HLAST(h, &ev); retval != -1; retval = HPREV(h, &ev), i++) { len = strlen(ev.str) * 4; if (len >= max_size) { max_size = (len + 1023) & 1023; - ptr = h_realloc(ptr, max_size); + ptr = h_reallocf(ptr, max_size); + if (ptr == NULL) + goto done; } (void) strvis(ptr, ev.str, VIS_WHITE); (void) fprintf(fp, "%s\n", ptr); } +done: h_free(ptr); (void) fclose(fp); return (i); --- lib/libedit/tokenizer.c.ORIG Mon Jul 1 22:53:03 2002 +++ lib/libedit/tokenizer.c Wed Jul 13 02:42:44 2005 @@ -37,7 +37,7 @@ */ #if !defined(lint) && !defined(SCCSID) -static char sccsid[] = "@(#)tokenizer.c 8.1 (Berkeley) 6/4/93"; +static volatile char sccsid[] = "@(#)tokenizer.c 8.1 (Berkeley) 6/4/93"; #endif /* not lint && not SCCSID */ #include __FBSDID("$FreeBSD: src/lib/libedit/tokenizer.c,v 1.6 2001/10/01 23:00:29 obrien Exp $"); @@ -108,22 +108,24 @@ { Tokenizer *tok = (Tokenizer *) tok_malloc(sizeof(Tokenizer)); + if (tok == NULL) + return(NULL); tok->ifs = strdup(ifs ? ifs : IFS); tok->argc = 0; tok->amax = AINCR; tok->argv = (char **) tok_malloc(sizeof(char *) * tok->amax); - if (tok->argv == NULL) - return (NULL); - tok->argv[0] = NULL; tok->wspace = (char *) tok_malloc(WINCR); - if (tok->wspace == NULL) - return (NULL); + if (tok->ifs == NULL || tok->argv == NULL || tok->wspace == NULL) { + tok_end(tok); + return(NULL); + } + tok->argv[0] = NULL; tok->wmax = tok->wspace + WINCR; tok->wstart = tok->wspace; tok->wptr = tok->wspace; tok->flags = 0; tok->quote = Q_none; - + return (tok); } --- patch ends here --- >Release-Note: >Audit-Trail: >Unformatted: