On Fri, Mar 26, 2010 at 02:48:58PM +0530, Amarendra Godbole wrote:
> cut.c has the following:
>
> [...]
> void
> f_cut(FILE *fp, char *fname)
> {
> int ch, field, isdelim;
> char *pos, *p, sep;
> int output;
> size_t len;
> char *lbuf, *tbuf;
>
> for (sep = dchar, tbuf = NULL; (lbuf = fgetln(fp, &len));) {
> output = 0;
> if (lbuf[len - 1] != '\n') {
> /* no newline at the end of the last line so add one */
> if ((tbuf = (char *)malloc(len + 1)) == NULL)
> err(1, NULL);
> memcpy(tbuf, lbuf, len);
> tbuf[len] = '\n';
> lbuf = tbuf;
> }
> [...]
>
> Now it is possible for "len+1" in the malloc() above to overflow and
> turn to 0 if len is UINT_MAX. Interestingly, in this case, fgetln()
> mostly fails with errno 12, ENOMEM so the while is never entered. My
> question is, does the malloc() here require the overflow test as
> indicated in malloc(3) manpage, or not?
>
> Thanks.
>
> -Amarendra
I guess you mean SIZE_MAX, which is not equal to UINT_MAX on 64-bit platforms.
But you are right, a check should be done.
-Otto
