Hi,
the return value of malloc in bestmatch is not checked for NULL. This can
be triggered with very large files (or limited amount of RAM) during
merge operations.
In case of NULL, the program won't necessarily end with a segmentation
fault, because V is not referenced directly. "fd" is used instead, which
points into V. With a properly tailored diff, it's possible to set a few
bytes in lower memory areas (3 bytes in my test).
Fix is simple: Use xmalloc to call fatal if we run out of memory.
Tobias
PS: This malloc looks rather prone to an integer overflow, but I haven't
been able to trigger it. It's probably safe because there are many
allocations done before which triggered oom for me before reaching
this code.
---
src/bestmatch.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/bestmatch.h b/src/bestmatch.h
index 1b12923..b0d5cfb 100644
--- a/src/bestmatch.h
+++ b/src/bestmatch.h
@@ -64,7 +64,7 @@ bestmatch(OFFSET xoff, OFFSET xlim, OFFSET yoff, OFFSET ylim,
OFFSET fmid_plus_2_min, ymax = -1;
OFFSET c;
- V = malloc ((2 * max + 3) * sizeof (OFFSET));
+ V = xmalloc ((2 * max + 3) * sizeof (OFFSET));
fd = V + max + 1 - fmid;
/*
--
2.3.0
