Rich, i'm a wee bit confused with the diffs. what has happened to original patch with setting rc to LBER_DEFAULT upon *alloc errors when breaking out ? and freeing when realloc fails ? or am i looking at the wrong diffs ?
Rich Megginson wrote:
Bug 324525: Memory error in ber_get_stringal/ber_bvfree Bug 324529: ber_scanf() needs to check for NULL return from malloc/realloc https://bugzilla.mozilla.org/show_bug.cgi?id=324525 https://bugzilla.mozilla.org/show_bug.cgi?id=324529 The bugs are very closely related, and it's hard to disentagle the diffs, so two bugs for the price of one. File: ldap/libraries/liblber/decode.c Diffs: https://bugzilla.mozilla.org/attachment.cgi?id=209858 If ber_get_stringal encounters a bad BER tag after allocating the berval but before assigning to the bv_val, it will short circuit and return leaving the bv_val uninitialized. If the caller then calls ber_bvfree to free the berval*, it will attempt to free bv_val and therefore free uninitialized memory. There is a similar problem in ber_scanf in the 'v' case. Memory is allocated for the string array, but the string being read is not initialized first before calling ber_get_stringa, which may return in the case of a BER error, which will abort the vector reading, returning uninitialized memory to the caller to free. We cannot rely on calloc here since we may use realloc and AFAIK there is no recalloc. ber_scanf needs to check for a null return from malloc/realloc and abort processing of the vector 'v' or 'V'. _______________________________________________ dev-tech-ldap mailing list [email protected] https://lists.mozilla.org/listinfo/dev-tech-ldap
_______________________________________________ dev-tech-ldap mailing list [email protected] https://lists.mozilla.org/listinfo/dev-tech-ldap
