Module Name: src
Committed By: christos
Date: Thu Sep 22 12:49:57 UTC 2011
Modified Files:
src/usr.bin/find: function.c
Log Message:
Fix unchecked malloc, check for overflow (Maksymilian Arciemowicz)
While here, remove unused casts, fix types.
To generate a diff of this commit:
cvs rdiff -u -r1.66 -r1.67 src/usr.bin/find/function.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/usr.bin/find/function.c
diff -u src/usr.bin/find/function.c:1.66 src/usr.bin/find/function.c:1.67
--- src/usr.bin/find/function.c:1.66 Wed Feb 23 21:55:18 2011
+++ src/usr.bin/find/function.c Thu Sep 22 08:49:57 2011
@@ -1,4 +1,4 @@
-/* $NetBSD: function.c,v 1.66 2011/02/24 02:55:18 jmcneill Exp $ */
+/* $NetBSD: function.c,v 1.67 2011/09/22 12:49:57 christos Exp $ */
/*-
* Copyright (c) 1990, 1993
@@ -37,7 +37,7 @@
#if 0
static char sccsid[] = "from: @(#)function.c 8.10 (Berkeley) 5/4/95";
#else
-__RCSID("$NetBSD: function.c,v 1.66 2011/02/24 02:55:18 jmcneill Exp $");
+__RCSID("$NetBSD: function.c,v 1.67 2011/09/22 12:49:57 christos Exp $");
#endif
#endif /* not lint */
@@ -499,7 +499,8 @@
int
f_exec(PLAN *plan, FTSENT *entry)
{
- int cnt, l;
+ size_t cnt;
+ int l;
pid_t pid;
int status;
@@ -627,7 +628,8 @@
c_exec(char ***argvp, int isok)
{
PLAN *new; /* node returned */
- int cnt, brace, lastbrace;
+ size_t cnt;
+ int brace, lastbrace;
char **argv, **ap, *p;
isoutput = 1;
@@ -665,12 +667,12 @@
errx(1, "-ok: terminating \"+\" not permitted.");
if (new->flags & F_PLUSSET) {
- u_int c, bufsize;
+ size_t c, bufsize;
cnt = ap - *argvp - 1; /* units are words */
new->ep_maxargs = 5000;
- new->e_argv = (char **)emalloc((u_int)(cnt + new->ep_maxargs)
- * sizeof(char **));
+ new->e_argv = emalloc((cnt + new->ep_maxargs)
+ * sizeof(*new->e_argv));
/* We start stuffing arguments after the user's last one. */
new->ep_bxp = &new->e_argv[cnt];
@@ -680,34 +682,36 @@
* Count up the space of the user's arguments, and
* subtract that from what we allocate.
*/
+#define MAXARG (ARG_MAX - 4 * 1024)
for (argv = *argvp, c = 0, cnt = 0;
argv < ap;
++argv, ++cnt) {
c += strlen(*argv) + 1;
+ if (c >= MAXARG)
+ errx(1, "Arguments too long");
new->e_argv[cnt] = *argv;
}
- bufsize = ARG_MAX - 4 * 1024 - c;
-
+ bufsize = MAXARG - c;
/*
* Allocate, and then initialize current, base, and
* end pointers.
*/
- new->ep_p = new->ep_bbp = malloc(bufsize + 1);
+ new->ep_p = new->ep_bbp = emalloc(bufsize + 1);
new->ep_ebp = new->ep_bbp + bufsize - 1;
new->ep_rval = 0;
} else { /* !F_PLUSSET */
cnt = ap - *argvp + 1;
- new->e_argv = (char **)emalloc((u_int)cnt * sizeof(char *));
- new->e_orig = (char **)emalloc((u_int)cnt * sizeof(char *));
- new->e_len = (int *)emalloc((u_int)cnt * sizeof(int));
+ new->e_argv = emalloc(cnt * sizeof(*new->e_argv));
+ new->e_orig = emalloc(cnt * sizeof(*new->e_orig));
+ new->e_len = emalloc(cnt * sizeof(*new->e_len));
for (argv = *argvp, cnt = 0; argv < ap; ++argv, ++cnt) {
new->e_orig[cnt] = *argv;
for (p = *argv; *p; ++p)
if (p[0] == '{' && p[1] == '}') {
new->e_argv[cnt] =
- emalloc((u_int)MAXPATHLEN);
+ emalloc(MAXPATHLEN);
new->e_len[cnt] = MAXPATHLEN;
break;
}
@@ -736,7 +740,7 @@
int
f_execdir(PLAN *plan, FTSENT *entry)
{
- int cnt;
+ size_t cnt;
pid_t pid;
int status;
char *file;
@@ -780,7 +784,7 @@
c_execdir(char ***argvp, int isok)
{
PLAN *new; /* node returned */
- int cnt;
+ size_t cnt;
char **argv, **ap, *p;
ftsoptions &= ~FTS_NOSTAT;
@@ -797,15 +801,15 @@
}
cnt = ap - *argvp + 1;
- new->e_argv = (char **)emalloc((u_int)cnt * sizeof(char *));
- new->e_orig = (char **)emalloc((u_int)cnt * sizeof(char *));
- new->e_len = (int *)emalloc((u_int)cnt * sizeof(int));
+ new->e_argv = emalloc(cnt * sizeof(*new->e_argv));
+ new->e_orig = emalloc(cnt * sizeof(*new->e_orig));
+ new->e_len = emalloc(cnt * sizeof(*new->e_len));
for (argv = *argvp, cnt = 0; argv < ap; ++argv, ++cnt) {
new->e_orig[cnt] = *argv;
for (p = *argv; *p; ++p)
if (p[0] == '{' && p[1] == '}') {
- new->e_argv[cnt] = emalloc((u_int)MAXPATHLEN);
+ new->e_argv[cnt] = emalloc(MAXPATHLEN);
new->e_len[cnt] = MAXPATHLEN;
break;
}
