mkiiskila closed pull request #905: Possible integer overflows when computing
malloc sizes
URL: https://github.com/apache/mynewt-core/pull/905
This is a PR merged from a forked repository.
As GitHub hides the original diff on merge, it is displayed below for
the sake of provenance:
As this is a foreign pull request (from a fork), the diff is supplied
below (as it won't show otherwise due to GitHub magic):
diff --git a/libc/baselibc/src/calloc.c b/libc/baselibc/src/calloc.c
index 3db76649d..505339b05 100644
--- a/libc/baselibc/src/calloc.c
+++ b/libc/baselibc/src/calloc.c
@@ -4,13 +4,17 @@
#include <stdlib.h>
#include <string.h>
-
-/* FIXME: This should look for multiplication overflow */
+#include <stdint.h>
void *calloc(size_t nmemb, size_t size)
{
void *ptr;
+ int nb;
+ nb = sizeof(size_t) * 4;
+ if (size >= SIZE_MAX >> nb || nmemb >= SIZE_MAX >> nb) {
+ return NULL;
+ }
size *= nmemb;
ptr = malloc(size);
if (ptr)
diff --git a/libc/baselibc/src/malloc.c b/libc/baselibc/src/malloc.c
index c00b08892..2bf45515d 100644
--- a/libc/baselibc/src/malloc.c
+++ b/libc/baselibc/src/malloc.c
@@ -7,6 +7,7 @@
#include <stdbool.h>
#include <stdlib.h>
#include <assert.h>
+#include <stdint.h>
#include "malloc.h"
/* Both the arena list and the free memory list are double linked
@@ -148,8 +149,9 @@ void *malloc(size_t size)
void *more_mem;
extern void *_sbrk(int incr);
- if (size == 0)
+ if (size == 0 || size > (SIZE_MAX - sizeof(struct arena_header))) {
return NULL;
+ }
/* Add the obligatory arena header, and round up */
size = (size + 2 * sizeof(struct arena_header) - 1) & ARENA_SIZE_MASK;
diff --git a/libc/baselibc/src/realloc.c b/libc/baselibc/src/realloc.c
index 77e8acb26..5bfab3136 100644
--- a/libc/baselibc/src/realloc.c
+++ b/libc/baselibc/src/realloc.c
@@ -18,7 +18,7 @@ void *realloc(void *ptr, size_t size)
if (!ptr)
return malloc(size);
- if (size == 0) {
+ if (size == 0 || size > (SIZE_MAX - sizeof(struct arena_header))) {
free(ptr);
return NULL;
}
@@ -40,11 +40,12 @@ void *realloc(void *ptr, size_t size)
oldsize = ah->a.size - sizeof(struct arena_header);
newptr = malloc(size);
- if(newptr) {
+ if (newptr) {
memcpy(newptr, ptr, (size < oldsize) ? size : oldsize);
+ free(ptr);
+ } else {
+ newptr = ptr;
}
- free(ptr);
-
return newptr;
}
}
diff --git a/net/oic/src/api/oc_ri.c b/net/oic/src/api/oc_ri.c
index a99702536..a1211d658 100644
--- a/net/oic/src/api/oc_ri.c
+++ b/net/oic/src/api/oc_ri.c
@@ -228,8 +228,6 @@ oc_ri_mem_init(void)
void
oc_ri_init(void)
{
- oc_random_init(0); // Fix: allow user to seed RNG.
-
#ifdef OC_CLIENT
SLIST_INIT(&oc_client_cbs);
#endif
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
With regards,
Apache Git Services
