Hi, the return value of malloc in bestmatch is not checked for NULL. This can be triggered with very large files (or limited amount of RAM) during merge operations.
In case of NULL, the program won't necessarily end with a segmentation fault, because V is not referenced directly. "fd" is used instead, which points into V. With a properly tailored diff, it's possible to set a few bytes in lower memory areas (3 bytes in my test). Fix is simple: Use xmalloc to call fatal if we run out of memory. Tobias PS: This malloc looks rather prone to an integer overflow, but I haven't been able to trigger it. It's probably safe because there are many allocations done before which triggered oom for me before reaching this code. --- src/bestmatch.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/bestmatch.h b/src/bestmatch.h index 1b12923..b0d5cfb 100644 --- a/src/bestmatch.h +++ b/src/bestmatch.h @@ -64,7 +64,7 @@ bestmatch(OFFSET xoff, OFFSET xlim, OFFSET yoff, OFFSET ylim, OFFSET fmid_plus_2_min, ymax = -1; OFFSET c; - V = malloc ((2 * max + 3) * sizeof (OFFSET)); + V = xmalloc ((2 * max + 3) * sizeof (OFFSET)); fd = V + max + 1 - fmid; /* -- 2.3.0