diff options
| author | cheloha <cheloha@cvs.openbsd.org> | 2018-07-23 23:09:38 +0000 |
|---|---|---|
| committer | cheloha <cheloha@cvs.openbsd.org> | 2018-07-23 23:09:38 +0000 |
| commit | dd30fbb2f19764953df0b68cb3829e11467a6aae (patch) | |
| tree | 8336aefd1d0fd817a674ef5d496a29d02844c201 /bin/dd | |
| parent | 04be06ac0c7cee6a3fb50c044e099ad2f1faf67c (diff) | |
Don't cast malloc(3) size to u_int.
Large buffer sizes on 64-bit platforms cause the sum to wrap, leading
read(2) to fail later.
We check prior to this point that all buffer sizes are <= SSIZE_MAX.
SSIZE_MAX * 2 < SIZE_MAX on all platforms, so the addition here will
not overflow and cause a similar issue.
Discovered by tobias@ a while back.
ok deraadt millert tobias
Diffstat (limited to 'bin/dd')
| -rw-r--r-- | bin/dd/dd.c | 14 |
1 files changed, 9 insertions, 5 deletions
diff --git a/bin/dd/dd.c b/bin/dd/dd.c index 1c20697f66e..94c38fe8c53 100644 --- a/bin/dd/dd.c +++ b/bin/dd/dd.c @@ -1,4 +1,4 @@ -/* $OpenBSD: dd.c,v 1.24 2017/08/13 02:06:42 tedu Exp $ */ +/* $OpenBSD: dd.c,v 1.25 2018/07/23 23:09:37 cheloha Exp $ */ /* $NetBSD: dd.c,v 1.6 1996/02/20 19:29:06 jtc Exp $ */ /*- @@ -136,10 +136,14 @@ setup(void) if ((in.db = malloc(out.dbsz + in.dbsz - 1)) == NULL) err(1, "input buffer"); out.db = in.db; - } else if ((in.db = - malloc((u_int)(MAXIMUM(in.dbsz, cbsz) + cbsz))) == NULL || - (out.db = malloc((u_int)(out.dbsz + cbsz))) == NULL) - err(1, "output buffer"); + } else { + in.db = malloc(MAXIMUM(in.dbsz, cbsz) + cbsz); + if (in.db == NULL) + err(1, "input buffer"); + out.db = malloc(out.dbsz + cbsz); + if (out.db == NULL) + err(1, "output buffer"); + } in.dbp = in.db; out.dbp = out.db; |