Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / external / strace / aa524c88c49814863cb7f19e5c8a8eeca6ce22fe^! / . / file.c
commitaa524c88c49814863cb7f19e5c8a8eeca6ce22fe[log] [tgz]
authorRoland McGrath <roland@redhat.com>Wed Jun 01 19:22:06 2005 +0000
committerRoland McGrath <roland@redhat.com>Wed Jun 01 19:22:06 2005 +0000
treea2990277e60e1f07e3ffee8e7d0fe0ff42944531
parentb422e0d47dd81daa7d7df359f1237c7aaea173cb [diff] [blame]
2005-05-31  Dmitry V. Levin  <ldv@altlinux.org>

	Deal with memory management issues.
	* defs.h (tprint_iov): Update prototype.
	* desc.c (sys_epoll_wait) [HAVE_SYS_EPOLL_H]: Do not allocate
	epoll_event array of arbitrary size on the stack, to avoid
	stack overflow.
	* file.c (print_xattr_val): Check for integer overflow during
	malloc size calculation, to avoid heap corruption.
	* io.c (tprint_iov) [HAVE_SYS_UIO_H]: Check for integer overflow
	during malloc size calculation, to avoid heap corruption.
	Change iovec array handling to avoid heap memory allocation.
	* mem.c (get_nodes) [LINUX]: Check for integer overflow during
	size calculation and do not allocate array of arbitrary size on
	the stack, to avoid stack overflow.
	* net.c (printcmsghdr) [HAVE_SENDMSG]: Do not allocate array of
	arbitrary size on the stack, to avoid stack overflow.  Do not
	trust cmsg.cmsg_len to avoid read beyond the end of allocated
	object.
	(printmsghdr) [HAVE_SENDMSG]: Update tprint_iov() usage.
	* process.c (sys_setgroups): Check for integer overflow during
	malloc size calculation, to avoid heap corruption.  Change gid_t
	array handling to avoid heap memory allocation.
	(sys_getgroups): Likewise.
	(sys_setgroups32) [LINUX]: Likewise.
	(sys_getgroups32) [LINUX]: Likewise.
	* stream.c (sys_poll) [HAVE_SYS_POLL_H]: Check for integer
	overflow during malloc size calculation, to avoid heap corruption.
	Change pollfd array handling to avoid heap memory allocation.
	* system.c (sys_sysctl) [LINUX]: Check for integer overflow
	during malloc size calculation, to avoid heap corruption.
	* util.c (dumpiov) [HAVE_SYS_UIO_H]: Check for integer overflow
	during malloc size calculation, to avoid heap corruption.
	Fixes RH#159196.

diff --git a/file.c b/file.c
index 821d4a8..52c3631 100644
--- a/file.c
+++ b/file.c

@@ -2347,10 +2347,11 @@
 struct tcb *tcp;
 int failed;
 unsigned long arg;
-long insize, size;
+unsigned long insize, size;
 {
     if (!failed) {
-	unsigned char *buf = malloc(4 * size + 1);
+	unsigned long capacity = 4 * size + 1;
+	unsigned char *buf = (capacity < size) ? NULL : malloc(capacity);
 	if (buf == NULL || /* probably a bogus size argument */
 	    umoven(tcp, arg, size, (char *) &buf[3 * size]) < 0) {
 	    failed = 1;