diff options
| author | Doug Hogan <doug@cvs.openbsd.org> | 2014-10-11 04:24:07 +0000 |
|---|---|---|
| committer | Doug Hogan <doug@cvs.openbsd.org> | 2014-10-11 04:24:07 +0000 |
| commit | 22f3c9378ff07d77596bd2d49154efd31c79bcbe (patch) | |
| tree | 67571a0580efdf8c0fe6db84f33f56e833624a09 /lib/libedit | |
| parent | e76b59f7f7726aef156831251a30ba0de1990bb7 (diff) | |
Userland reallocarray() audit.
Avoid potential integer overflow in the size argument of malloc() and
realloc() by using reallocarray() to avoid unchecked multiplication.
ok deraadt@
Diffstat (limited to 'lib/libedit')
| -rw-r--r-- | lib/libedit/readline.c | 7 |
1 files changed, 4 insertions, 3 deletions
diff --git a/lib/libedit/readline.c b/lib/libedit/readline.c index a91199f9189..09906bba0b1 100644 --- a/lib/libedit/readline.c +++ b/lib/libedit/readline.c @@ -1,4 +1,4 @@ -/* $OpenBSD: readline.c,v 1.10 2011/07/08 05:41:11 nicm Exp $ */ +/* $OpenBSD: readline.c,v 1.11 2014/10/11 04:24:06 doug Exp $ */ /* $NetBSD: readline.c,v 1.91 2010/08/28 15:44:59 christos Exp $ */ /*- @@ -1091,12 +1091,13 @@ history_tokenize(const char *str) if (idx + 2 >= size) { char **nresult; - size <<= 1; - nresult = realloc(result, size * sizeof(char *)); + nresult = reallocarray(result, size, + 2 * sizeof(char *)); if (nresult == NULL) { free(result); return NULL; } + size *= 2; result = nresult; } len = i - start; |