> Date: Fri, 26 Mar 2010 10:45:57 +0100 > From: Otto Moerbeek <[email protected]> > > On Fri, Mar 26, 2010 at 02:48:58PM +0530, Amarendra Godbole wrote: > > > cut.c has the following: > > > > [...] > > void > > f_cut(FILE *fp, char *fname) > > { > > int ch, field, isdelim; > > char *pos, *p, sep; > > int output; > > size_t len; > > char *lbuf, *tbuf; > > > > for (sep = dchar, tbuf = NULL; (lbuf = fgetln(fp, &len));) { > > output = 0; > > if (lbuf[len - 1] != '\n') { > > /* no newline at the end of the last line so add one */ > > if ((tbuf = (char *)malloc(len + 1)) == NULL) > > err(1, NULL); > > memcpy(tbuf, lbuf, len); > > tbuf[len] = '\n'; > > lbuf = tbuf; > > } > > [...] > > > > Now it is possible for "len+1" in the malloc() above to overflow and > > turn to 0 if len is UINT_MAX. Interestingly, in this case, fgetln() > > mostly fails with errno 12, ENOMEM so the while is never entered. My > > question is, does the malloc() here require the overflow test as > > indicated in malloc(3) manpage, or not? > > > > Thanks. > > > > -Amarendra > > I guess you mean SIZE_MAX, which is not equal to UINT_MAX on 64-bit > platforms. > > But you are right, a check should be done.
Well, there is no way fgetln(3) will ever set len to SIZE_MAX.
