Userland reallocarray() audit.

Avoid potential integer overflow in the size argument of malloc() and
realloc() by using reallocarray() to avoid unchecked multiplication.

ok deraadt@

2 files changed, 7 insertions, 5 deletions

diff --git a/lib/libc/regex/regexec.c b/lib/libc/regex/regexec.c
index 5e986f34c3c..ed6a4b8d62b 100644
--- a/lib/libc/regex/regexec.c
+++ b/lib/libc/regex/regexec.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: regexec.c,v 1.12 2013/04/17 17:39:29 tedu Exp $ */
+/*	$OpenBSD: regexec.c,v 1.13 2014/10/11 04:23:12 doug Exp $ */
 /*-
  * Copyright (c) 1992, 1993, 1994 Henry Spencer.
  * Copyright (c) 1992, 1993, 1994
@@ -109,7 +109,8 @@
 #define	ASSIGN(d, s)	memcpy(d, s, m->g->nstates)
 #define	EQ(a, b)	(memcmp(a, b, m->g->nstates) == 0)
 #define	STATEVARS	long vn; char *space
-#define	STATESETUP(m, nv)	{ (m)->space = malloc((nv)*(m)->g->nstates); \
+#define	STATESETUP(m, nv)	{ (m)->space = reallocarray(NULL, 	    \
+    				(m)->g->nstates, (nv));			    \
 				if ((m)->space == NULL) return(REG_ESPACE); \
 				(m)->vn = 0; }
 #define	STATETEARDOWN(m)	{ free((m)->space); }
diff --git a/lib/libedit/readline.c b/lib/libedit/readline.c
index a91199f9189..09906bba0b1 100644
--- a/lib/libedit/readline.c
+++ b/lib/libedit/readline.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: readline.c,v 1.10 2011/07/08 05:41:11 nicm Exp $	*/
+/*	$OpenBSD: readline.c,v 1.11 2014/10/11 04:24:06 doug Exp $	*/
 /*	$NetBSD: readline.c,v 1.91 2010/08/28 15:44:59 christos Exp $	*/
 
 /*-
@@ -1091,12 +1091,13 @@ history_tokenize(const char *str)
 
 		if (idx + 2 >= size) {
 			char **nresult;
-			size <<= 1;
-			nresult = realloc(result, size * sizeof(char *));
+			nresult = reallocarray(result, size,
+			    2 * sizeof(char *));
 			if (nresult == NULL) {
 				free(result);
 				return NULL;
 			}
+			size *= 2;
 			result = nresult;
 		}
 		len = i - start;