cut.c has the following:
[...]
void
f_cut(FILE *fp, char *fname)
{
int ch, field, isdelim;
char *pos, *p, sep;
int output;
size_t len;
char *lbuf, *tbuf;
for (sep = dchar, tbuf = NULL; (lbuf = fgetln(fp, &len));) {
output = 0;
if (lbuf[len - 1] != '\n') {
/* no newline at the end of the last line so add one */
if ((tbuf = (char *)malloc(len + 1)) == NULL)
err(1, NULL);
memcpy(tbuf, lbuf, len);
tbuf[len] = '\n';
lbuf = tbuf;
}
[...]
Now it is possible for "len+1" in the malloc() above to overflow and
turn to 0 if len is UINT_MAX. Interestingly, in this case, fgetln()
mostly fails with errno 12, ENOMEM so the while is never entered. My
question is, does the malloc() here require the overflow test as
indicated in malloc(3) manpage, or not?
Thanks.
-Amarendra
