NetBSD-Bugs archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: bin/47154



The following reply was made to PR bin/47154; it has been noted by GNATS.

From: miwarin%gmail.com@localhost
To: gnats-bugs%NetBSD.org@localhost,
 gnats-admin%netbsd.org@localhost,
 netbsd-bugs%netbsd.org@localhost,
 ben%hl9.neta@localhost
Cc: 
Subject: Re: bin/47154
Date: Sat, 01 Nov 2014 21:26:06 +0900

 On Fri, 31 Oct 2014 15:10:01 +0000 (UTC)
 Miwa Susumu <miwarin%gmail.com@localhost> wrote:
 
 > The following reply was made to PR bin/47154; it has been noted by GNATS.
 > 
 > From: Miwa Susumu <miwarin%gmail.com@localhost>
 > To: gnats-bugs%NetBSD.org@localhost
 > Cc: 
 > Subject: Re: bin/47154
 > Date: Sat, 1 Nov 2014 00:06:12 +0900
 > 
 >  dd.c setup()
 >  
 >    if (!(ddflags & (C_BLOCK|C_UNBLOCK))) {
 >      if ((in.db = malloc(out.dbsz + in.dbsz - 1)) == NULL) {      <====
 >        err(EXIT_FAILURE, NULL);
 >        /* NOTREACHED */
 >      }
 >      out.db = in.db;
 
 
 I was modified to check the arguments before malloc().
 
 
 % diff -u dd.c.orig dd.c
 --- dd.c.orig   2014-11-01 21:13:47.000000000 +0900
 +++ dd.c        2014-11-01 21:15:57.000000000 +0900
 @@ -1,4 +1,4 @@
 -/*     $NetBSD: dd.c,v 1.47.4.2 2012/04/17 00:01:36 yamt Exp $ */
 +/*     $NetBSD: dd.c,v 1.48 2011/11/06 21:22:23 jym Exp $      */
 
  /*-
   * Copyright (c) 1991, 1993, 1994
 @@ -43,7 +43,7 @@
  #if 0
  static char sccsid[] = "@(#)dd.c       8.5 (Berkeley) 4/2/94";
  #else
 -__RCSID("$NetBSD: dd.c,v 1.47.4.2 2012/04/17 00:01:36 yamt Exp $");
 +__RCSID("$NetBSD: dd.c,v 1.48 2011/11/06 21:22:23 jym Exp $");
  #endif
  #endif /* not lint */
 
 @@ -212,10 +212,10 @@
          * record oriented I/O, only need a single buffer.
          */
         if (!(ddflags & (C_BLOCK|C_UNBLOCK))) {
 -               size_t dbsz = out.dbsz;
 -               if (!(ddflags & C_BS))
 -                       dbsz += in.dbsz - 1;
 -               if ((in.db = malloc(dbsz)) == NULL) {
 +               if((out.dbsz + in.dbsz - 1) > SIZE_T_MAX) {
 +                       errx(EXIT_FAILURE, "bs must be less than %u", SIZE_T_MAX);
 +               }
 +               if ((in.db = malloc(out.dbsz + in.dbsz - 1)) == NULL) {
                         err(EXIT_FAILURE, NULL);
                         /* NOTREACHED */
                 }
 
 
 -- 
 miwarin
 


Home | Main Index | Thread Index | Old Index