diff options
author | Ted Unangst <tedu@cvs.openbsd.org> | 2003-11-07 02:58:24 +0000 |
---|---|---|
committer | Ted Unangst <tedu@cvs.openbsd.org> | 2003-11-07 02:58:24 +0000 |
commit | 573b3659e73295a82a68d1d4547243ff9094b3f2 (patch) | |
tree | 9ffb830ab48d71373eb9a0c8b63ed72a1c492b11 | |
parent | 012b0c83229277a1e6b6e0468bcdf2f959555c5c (diff) |
prevent overflow, see freebsd r1.32. also, do nicer reallocs.
ok millert@ otto@
-rw-r--r-- | usr.bin/sed/process.c | 22 |
1 files changed, 13 insertions, 9 deletions
diff --git a/usr.bin/sed/process.c b/usr.bin/sed/process.c index 622eb502883..9aa2da86c80 100644 --- a/usr.bin/sed/process.c +++ b/usr.bin/sed/process.c @@ -1,4 +1,4 @@ -/* $OpenBSD: process.c,v 1.11 2003/06/10 22:20:51 deraadt Exp $ */ +/* $OpenBSD: process.c,v 1.12 2003/11/07 02:58:23 tedu Exp $ */ /*- * Copyright (c) 1992 Diomidis Spinellis. @@ -35,7 +35,7 @@ #ifndef lint /* from: static char sccsid[] = "@(#)process.c 8.1 (Berkeley) 6/6/93"; */ -static char *rcsid = "$OpenBSD: process.c,v 1.11 2003/06/10 22:20:51 deraadt Exp $"; +static char *rcsid = "$OpenBSD: process.c,v 1.12 2003/11/07 02:58:23 tedu Exp $"; #endif /* not lint */ #include <sys/types.h> @@ -106,10 +106,12 @@ redirect: cp = cp->u.c; goto redirect; case 'a': - if (appendx >= appendnum) + if (appendx >= appendnum) { appends = xrealloc(appends, sizeof(struct s_appends) * - (appendnum *= 2)); + (appendnum * 2)); + appendnum *= 2; + } appends[appendx].type = AP_STRING; appends[appendx].s = cp->t; appends[appendx].len = strlen(cp->t); @@ -537,9 +539,10 @@ regsub(SPACE *sp, char *string, char *src) char c, *dst; #define NEEDSP(reqlen) \ - if (sp->len >= sp->blen - (reqlen) - 1) { \ - sp->blen += (reqlen) + 1024; \ - sp->space = sp->back = xrealloc(sp->back, sp->blen); \ + if (sp->len + (reqlen) + 1 >= sp->blen) { \ + size_t newlen = sp->blen + (reqlen) + 1024; \ + sp->space = sp->back = xrealloc(sp->back, newlen); \ + sp->blen = newlen; \ dst = sp->space + sp->len; \ } @@ -582,8 +585,9 @@ cspace(SPACE *sp, char *p, size_t len, enum e_spflag spflag) /* Make sure SPACE has enough memory and ramp up quickly. */ tlen = sp->len + len + 1; if (tlen > sp->blen) { - sp->blen = tlen + 1024; - sp->space = sp->back = xrealloc(sp->back, sp->blen); + size_t newlen = tlen + 1024; + sp->space = sp->back = xrealloc(sp->back, newlen); + sp->blen = newlen; } if (spflag == REPLACE) |