Matt McCutchen's Web Site
/
rsync
/
rsync.git
/ commitdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
| commitdiff |
tree
raw
|
patch
|
inline
| side by side (parent:
237e9a1
)
Fixed a potential overflow issue with realloc() that Sebastian Krahmer
author
Wayne Davison
<wayned@samba.org>
Tue, 8 Apr 2008 15:01:43 +0000
(08:01 -0700)
committer
Wayne Davison
<wayned@samba.org>
Tue, 8 Apr 2008 15:01:43 +0000
(08:01 -0700)
pointed out.
util.c
patch
|
blob
|
blame
|
history
diff --git
a/util.c
b/util.c
index
a40ce7b
..
a53af8d
100644
(file)
--- a/
util.c
+++ b/
util.c
@@
-1329,7
+1329,7
@@
void *_new_array(unsigned long num, unsigned int size, int use_calloc)
return use_calloc ? calloc(num, size) : malloc(num * size);
}
return use_calloc ? calloc(num, size) : malloc(num * size);
}
-void *_realloc_array(void *ptr, unsigned int size,
unsigned long
num)
+void *_realloc_array(void *ptr, unsigned int size,
size_t
num)
{
if (num >= MALLOC_MAX/size)
return NULL;
{
if (num >= MALLOC_MAX/size)
return NULL;
@@
-1550,7
+1550,10
@@
void *expand_item_list(item_list *lp, size_t item_size,
new_size += incr;
else
new_size *= 2;
new_size += incr;
else
new_size *= 2;
- new_ptr = realloc_array(lp->items, char, new_size * item_size);
+ if (new_size < lp->malloced)
+ overflow_exit("expand_item_list");
+ /* Using _realloc_array() lets us pass the size, not a type. */
+ new_ptr = _realloc_array(lp->items, item_size, new_size);
if (verbose >= 4) {
rprintf(FINFO, "[%s] expand %s to %.0f bytes, did%s move\n",
who_am_i(), desc, (double)new_size * item_size,
if (verbose >= 4) {
rprintf(FINFO, "[%s] expand %s to %.0f bytes, did%s move\n",
who_am_i(), desc, (double)new_size * item_size,