check for integer overflows in custom allocs, okay jca@

2025-01-10 06:47:55 -08:00 · 2014-04-28 12:34:11 +00:00 · 2014-04-28 12:34:11 +00:00 · c608d5f4b5
commit c608d5f4b5
parent 49dc4f7fac
5 changed files with 71 additions and 15 deletions
--- a/usr.bin/m4/eval.c
+++ b/usr.bin/m4/eval.c
@ -1,4 +1,4 @@
-/*	$OpenBSD: eval.c,v 1.71 2013/11/14 15:56:50 deraadt Exp $	*/
+/*	$OpenBSD: eval.c,v 1.72 2014/04/28 12:34:11 espie Exp $	*/
 /*	$NetBSD: eval.c,v 1.7 1996/11/10 21:21:29 pk Exp $	*/

 /*
@ -790,7 +790,7 @@ dom4wrap(const char *text)
 			maxwraps = 16;
 		else
 			maxwraps *= 2;
-		m4wraps = xrealloc(m4wraps, maxwraps * sizeof(*m4wraps),
+		m4wraps = xreallocarray(m4wraps, maxwraps, sizeof(*m4wraps),
 		   "too many m4wraps");
 	}
 	m4wraps[wrapindex++] = xstrdup(text);
--- a/usr.bin/m4/extern.h
+++ b/usr.bin/m4/extern.h
@ -1,4 +1,4 @@
-/*	$OpenBSD: extern.h,v 1.52 2012/04/12 17:00:11 espie Exp $	*/
+/*	$OpenBSD: extern.h,v 1.53 2014/04/28 12:34:11 espie Exp $	*/
 /*	$NetBSD: extern.h,v 1.3 1996/01/13 23:25:24 pk Exp $	*/

 /*-
@ -102,8 +102,10 @@ extern void	pbnumbase(int, int, int);
 extern void	pbunsigned(unsigned long);
 extern void	pbstr(const char *);
 extern void	pushback(int);
-extern void	*xalloc(size_t, const char *fmt, ...);
-extern void	*xrealloc(void *, size_t, const char *fmt, ...);
+extern void	*xalloc(size_t, const char *, ...);
+extern void	*xallocarray(size_t, size_t, const char *, ...);
+extern void	*xrealloc(void *, size_t, const char *, ...);
+extern void	*xreallocarray(void *, size_t, size_t, const char *, ...);
 extern char	*xstrdup(const char *);
 extern void	usage(void);
 extern void	resizedivs(int);
--- a/usr.bin/m4/gnum4.c
+++ b/usr.bin/m4/gnum4.c
@ -1,4 +1,4 @@
-/* $OpenBSD: gnum4.c,v 1.43 2013/11/20 16:44:27 deraadt Exp $ */
+/* $OpenBSD: gnum4.c,v 1.44 2014/04/28 12:34:11 espie Exp $ */

 /*
 * Copyright (c) 1999 Marc Espie
@ -469,7 +469,7 @@ dopatsubst(const char *argv[], int argc)
 		if (error != 0)
 			exit_regerror(error, &re);

-		pmatch = xalloc(sizeof(regmatch_t) * (re.re_nsub+1), NULL);
+		pmatch = xallocarray(re.re_nsub+1, sizeof(regmatch_t), NULL);
 		do_subst(argv[2], &re,
 		    argc > 4 && argv[4] != NULL ? argv[4] : "", pmatch);
 		free(pmatch);
@ -501,7 +501,7 @@ doregexp(const char *argv[], int argc)
 	if (error != 0)
 		exit_regerror(error, &re);

-	pmatch = xalloc(sizeof(regmatch_t) * (re.re_nsub+1), NULL);
+	pmatch = xallocarray(re.re_nsub+1, sizeof(regmatch_t), NULL);
 	if (argc == 4 || argv[4] == NULL)
 		do_regexpindex(argv[2], &re, pmatch);
 	else
--- a/usr.bin/m4/main.c
+++ b/usr.bin/m4/main.c
@ -1,4 +1,4 @@
-/*	$OpenBSD: main.c,v 1.81 2012/04/12 17:00:11 espie Exp $	*/
+/*	$OpenBSD: main.c,v 1.82 2014/04/28 12:34:11 espie Exp $	*/
 /*	$NetBSD: main.c,v 1.12 1997/02/08 23:54:49 cgd Exp $	*/

 /*-
@ -181,8 +181,8 @@ main(int argc, char *argv[])
 	initspaces();
 	STACKMAX = INITSTACKMAX;

-	mstack = (stae *)xalloc(sizeof(stae) * STACKMAX, NULL);
-	sstack = (char *)xalloc(STACKMAX, NULL);
+	mstack = xallocarray(STACKMAX, sizeof(stae), NULL);
+	sstack = xalloc(STACKMAX, NULL);

 	maxout = 0;
 	outfile = NULL;
@ -626,7 +626,7 @@ static void
 enlarge_stack(void)
 {
 	STACKMAX += STACKMAX/2;
-	mstack = xrealloc(mstack, sizeof(stae) * STACKMAX,
+	mstack = xreallocarray(mstack, STACKMAX, sizeof(stae),
 	    "Evaluation stack overflow (%lu)",
 	    (unsigned long)STACKMAX);
 	sstack = xrealloc(sstack, STACKMAX,
--- a/usr.bin/m4/misc.c
+++ b/usr.bin/m4/misc.c
@ -1,4 +1,4 @@
-/*	$OpenBSD: misc.c,v 1.42 2010/09/07 19:58:09 marco Exp $	*/
+/*	$OpenBSD: misc.c,v 1.43 2014/04/28 12:34:11 espie Exp $	*/
 /*	$NetBSD: misc.c,v 1.6 1995/09/28 05:37:41 tls Exp $	*/

 /*
@ -38,6 +38,7 @@
 #include <unistd.h>
 #include <stdarg.h>
 #include <stdio.h>
+#include <stdint.h>
 #include <stdlib.h>
 #include <stddef.h>
 #include <string.h>
@ -163,7 +164,7 @@ initspaces()
 	strspace = xalloc(strsize+1, NULL);
 	ep = strspace;
 	endest = strspace+strsize;
-	buf = (unsigned char *)xalloc(bufsize, NULL);
+	buf = xalloc(bufsize, NULL);
 	bufbase = buf;
 	bp = buf;
 	endpbb = buf + bufsize;
@ -283,7 +284,7 @@ resizedivs(int n)
 {
 	int i;

-	outfile = (FILE **)xrealloc(outfile, sizeof(FILE *) * n,
+	outfile = xreallocarray(outfile, n, sizeof(FILE *),
 	    "too many diverts %d", n);
 	for (i = maxout; i < n; i++)
 		outfile[i] = NULL;
@ -309,6 +310,32 @@ xalloc(size_t n, const char *fmt, ...)
 	return p;
 }

+void *
+xallocarray(size_t s1, size_t s2, const char *fmt, ...)
+{
+	void *p;
+
+	if (s1 && SIZE_MAX / s1 < s2) {
+		errno = ENOMEM;
+		p = NULL;
+	} else {
+		p = malloc(s1 * s2);
+	}
+
+	if (p == NULL) {
+		if (fmt == NULL)
+			err(1, "malloc");
+		else {
+			va_list va;
+
+			va_start(va, fmt);
+			verr(1, fmt, va);
+			va_end(va);
+		}
+	}
+	return p;
+}
+
 void *
 xrealloc(void *old, size_t n, const char *fmt, ...)
 {
@ -329,6 +356,33 @@ xrealloc(void *old, size_t n, const char *fmt, ...)
 	return p;
 }

+void *
+xreallocarray(void *old, size_t s1, size_t s2, const char *fmt, ...)
+{
+	void *p;
+
+	if (s1 && SIZE_MAX / s1 < s2) {
+		errno = ENOMEM;
+		p = NULL;
+	} else {
+		p = realloc(old, s1 * s2);
+	}
+
+	if (p == NULL) {
+		free(old);
+		if (fmt == NULL)
+			err(1, "realloc");
+		else {
+			va_list va;
+
+			va_start(va, fmt);
+			verr(1, fmt, va);
+			va_end(va);
+		}
+	}
+	return p;
+}
+
 char *
 xstrdup(const char *s)
 {