Matt McCutchen's Web Site
/
rsync
/
rsync.git
/ blobdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
|
commitdiff
|
tree
raw
|
inline
| side by side
Fixed a potential overflow issue with realloc() that Sebastian Krahmer
[rsync/rsync.git]
/
util.c
diff --git
a/util.c
b/util.c
index
a40ce7b
..
a53af8d
100644
(file)
--- a/
util.c
+++ b/
util.c
@@
-1329,7
+1329,7
@@
void *_new_array(unsigned long num, unsigned int size, int use_calloc)
return use_calloc ? calloc(num, size) : malloc(num * size);
}
return use_calloc ? calloc(num, size) : malloc(num * size);
}
-void *_realloc_array(void *ptr, unsigned int size,
unsigned long
num)
+void *_realloc_array(void *ptr, unsigned int size,
size_t
num)
{
if (num >= MALLOC_MAX/size)
return NULL;
{
if (num >= MALLOC_MAX/size)
return NULL;
@@
-1550,7
+1550,10
@@
void *expand_item_list(item_list *lp, size_t item_size,
new_size += incr;
else
new_size *= 2;
new_size += incr;
else
new_size *= 2;
- new_ptr = realloc_array(lp->items, char, new_size * item_size);
+ if (new_size < lp->malloced)
+ overflow_exit("expand_item_list");
+ /* Using _realloc_array() lets us pass the size, not a type. */
+ new_ptr = _realloc_array(lp->items, item_size, new_size);
if (verbose >= 4) {
rprintf(FINFO, "[%s] expand %s to %.0f bytes, did%s move\n",
who_am_i(), desc, (double)new_size * item_size,
if (verbose >= 4) {
rprintf(FINFO, "[%s] expand %s to %.0f bytes, did%s move\n",
who_am_i(), desc, (double)new_size * item_size,