Fixed a potential overflow issue with realloc() that Sebastian Krahmer

author Wayne Davison <wayned@samba.org>

Tue, 8 Apr 2008 15:01:43 +0000 (08:01 -0700)

committer Wayne Davison <wayned@samba.org>

Tue, 8 Apr 2008 15:01:43 +0000 (08:01 -0700)
author Wayne Davison <wayned@samba.org>
Tue, 8 Apr 2008 15:01:43 +0000 (08:01 -0700)
committer Wayne Davison <wayned@samba.org>
Tue, 8 Apr 2008 15:01:43 +0000 (08:01 -0700)
diff --git a/util.c b/util.c

index a40ce7b..a53af8d 100644 (file)
--- a/util.c
+++ b/util.c
@@ -1329,7 +1329,7 @@ void *_new_array(unsigned long num, unsigned int size, int use_calloc)
         return use_calloc ? calloc(num, size) : malloc(num * size);
  }
  
-void *_realloc_array(void *ptr, unsigned int size, unsigned long num)
+void *_realloc_array(void *ptr, unsigned int size, size_t num)
  {
         if (num >= MALLOC_MAX/size)
                 return NULL;
@@ -1550,7 +1550,10 @@ void *expand_item_list(item_list *lp, size_t item_size,
                         new_size += incr;
                 else
                         new_size *= 2;
-               new_ptr = realloc_array(lp->items, char, new_size * item_size);
+               if (new_size < lp->malloced)
+                       overflow_exit("expand_item_list");
+               /* Using _realloc_array() lets us pass the size, not a type. */
+               new_ptr = _realloc_array(lp->items, item_size, new_size);
                 if (verbose >= 4) {
                         rprintf(FINFO, "[%s] expand %s to %.0f bytes, did%s move\n",
                                 who_am_i(), desc, (double)new_size * item_size,
author	Wayne Davison <wayned@samba.org>
	Tue, 8 Apr 2008 15:01:43 +0000 (08:01 -0700)
committer	Wayne Davison <wayned@samba.org>
	Tue, 8 Apr 2008 15:01:43 +0000 (08:01 -0700)