Re: bin/47154

[miwarin%gmail.com@localhost]

On Fri, 31 Oct 2014 15:10:01 +0000 (UTC)
Miwa Susumu <miwarin%gmail.com@localhost> wrote:

> The following reply was made to PR bin/47154; it has been noted by GNATS.
> 
> From: Miwa Susumu <miwarin%gmail.com@localhost>
> To: gnats-bugs%NetBSD.org@localhost
> Cc: 
> Subject: Re: bin/47154
> Date: Sat, 1 Nov 2014 00:06:12 +0900
> 
>  dd.c setup()
>  
>    if (!(ddflags & (C_BLOCK|C_UNBLOCK))) {
>      if ((in.db = malloc(out.dbsz + in.dbsz - 1)) == NULL) {      <====
>        err(EXIT_FAILURE, NULL);
>        /* NOTREACHED */
>      }
>      out.db = in.db;


I was modified to check the arguments before malloc().


% diff -u dd.c.orig dd.c
--- dd.c.orig   2014-11-01 21:13:47.000000000 +0900
+++ dd.c        2014-11-01 21:15:57.000000000 +0900
@@ -1,4 +1,4 @@
-/*     $NetBSD: dd.c,v 1.47.4.2 2012/04/17 00:01:36 yamt Exp $ */
+/*     $NetBSD: dd.c,v 1.48 2011/11/06 21:22:23 jym Exp $      */

 /*-
  * Copyright (c) 1991, 1993, 1994
@@ -43,7 +43,7 @@
 #if 0
 static char sccsid[] = "@(#)dd.c       8.5 (Berkeley) 4/2/94";
 #else
-__RCSID("$NetBSD: dd.c,v 1.47.4.2 2012/04/17 00:01:36 yamt Exp $");
+__RCSID("$NetBSD: dd.c,v 1.48 2011/11/06 21:22:23 jym Exp $");
 #endif
 #endif /* not lint */

@@ -212,10 +212,10 @@
         * record oriented I/O, only need a single buffer.
         */
        if (!(ddflags & (C_BLOCK|C_UNBLOCK))) {
-               size_t dbsz = out.dbsz;
-               if (!(ddflags & C_BS))
-                       dbsz += in.dbsz - 1;
-               if ((in.db = malloc(dbsz)) == NULL) {
+               if((out.dbsz + in.dbsz - 1) > SIZE_T_MAX) {
+                       errx(EXIT_FAILURE, "bs must be less than %u", SIZE_T_MAX);
+               }
+               if ((in.db = malloc(out.dbsz + in.dbsz - 1)) == NULL) {
                        err(EXIT_FAILURE, NULL);
                        /* NOTREACHED */
                }


-- 
miwarin