This patch avoids a possible integer overflow on excessively large amount of events added to an event base in kqueue mode (default).
Just as with previous changes, this is very unlikely to trigger and is a just a defensive measure. Changes in this diff: * KNF (sorted imports and added limits.h for INT_MAX) * recallocarray instead of reallocarray, in sync with minheap change * adjusted error messages from malloc to recallocarray Okay? Tobias Index: kqueue.c =================================================================== RCS file: /cvs/src/lib/libevent/kqueue.c,v retrieving revision 1.40 diff -u -p -u -p -r1.40 kqueue.c --- kqueue.c 10 Jul 2017 21:37:26 -0000 1.40 +++ kqueue.c 7 May 2019 19:49:53 -0000 @@ -32,14 +32,15 @@ #include <sys/queue.h> #include <sys/event.h> +#include <assert.h> +#include <errno.h> +#include <inttypes.h> +#include <limits.h> #include <signal.h> #include <stdio.h> #include <stdlib.h> #include <string.h> #include <unistd.h> -#include <errno.h> -#include <assert.h> -#include <inttypes.h> #include "event.h" #include "event-internal.h" @@ -133,25 +134,29 @@ kq_insert(struct kqop *kqop, struct keve struct kevent *newchange; struct kevent *newresult; + if (nevents > INT_MAX / 2) { + event_warnx("%s: integer overflow", __func__); + return (-1); + } nevents *= 2; - newchange = reallocarray(kqop->changes, - nevents, sizeof(struct kevent)); + newchange = recallocarray(kqop->changes, + kqop->nevents, nevents, sizeof(struct kevent)); if (newchange == NULL) { - event_warn("%s: malloc", __func__); + event_warn("%s: recallocarray", __func__); return (-1); } kqop->changes = newchange; - newresult = reallocarray(kqop->events, - nevents, sizeof(struct kevent)); + newresult = recallocarray(kqop->events, + kqop->nevents, nevents, sizeof(struct kevent)); /* * If we fail, we don't have to worry about freeing, * the next realloc will pick it up. */ if (newresult == NULL) { - event_warn("%s: malloc", __func__); + event_warn("%s: recallocarray", __func__); return (-1); } kqop->events = newresult;