use reallocarray() to detect multiplicative integer overflow; obvious

pattern.
This commit does not fix the non-obvious bloody horror of select.c.

3 files changed, 16 insertions, 16 deletions

diff --git a/lib/libevent/kqueue.c b/lib/libevent/kqueue.c
index c0ba8cbc91e..06c736df2fb 100644
--- a/lib/libevent/kqueue.c
+++ b/lib/libevent/kqueue.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: kqueue.c,v 1.28 2012/02/08 09:01:00 nicm Exp $	*/
+/*	$OpenBSD: kqueue.c,v 1.29 2014/10/08 05:41:42 deraadt Exp $	*/
 
 /*
  * Copyright 2000-2002 Niels Provos <provos@citi.umich.edu>
@@ -175,16 +175,16 @@ kq_insert(struct kqop *kqop, struct kevent *kev)
 
 		nevents *= 2;
 
-		newchange = realloc(kqop->changes,
-				    nevents * sizeof(struct kevent));
+		newchange = reallocarray(kqop->changes,
+		    nevents, sizeof(struct kevent));
 		if (newchange == NULL) {
 			event_warn("%s: malloc", __func__);
 			return (-1);
 		}
 		kqop->changes = newchange;
 
-		newresult = realloc(kqop->events,
-				    nevents * sizeof(struct kevent));
+		newresult = reallocarray(kqop->events,
+		    nevents, sizeof(struct kevent));
 
 		/*
 		 * If we fail, we don't have to worry about freeing,
diff --git a/lib/libevent/poll.c b/lib/libevent/poll.c
index 90180e1b32e..c1abbc81b58 100644
--- a/lib/libevent/poll.c
+++ b/lib/libevent/poll.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: poll.c,v 1.16 2013/08/24 10:46:48 dlg Exp $	*/
+/*	$OpenBSD: poll.c,v 1.17 2014/10/08 05:41:42 deraadt Exp $	*/
 
 /*
  * Copyright 2000-2003 Niels Provos <provos@citi.umich.edu>
@@ -226,16 +226,16 @@ poll_add(void *arg, struct event *ev)
 			tmp_event_count = pop->event_count * 2;
 
 		/* We need more file descriptors */
-		tmp_event_set = realloc(pop->event_set,
-				 tmp_event_count * sizeof(struct pollfd));
+		tmp_event_set = reallocarray(pop->event_set,
+		    tmp_event_count, sizeof(struct pollfd));
 		if (tmp_event_set == NULL) {
 			event_warn("realloc");
 			return (-1);
 		}
 		pop->event_set = tmp_event_set;
 
-		tmp_event_r_back = realloc(pop->event_r_back,
-			    tmp_event_count * sizeof(struct event *));
+		tmp_event_r_back = reallocarray(pop->event_r_back,
+		    tmp_event_count, sizeof(struct event *));
 		if (tmp_event_r_back == NULL) {
 			/* event_set overallocated; that's okay. */
 			event_warn("realloc");
@@ -243,8 +243,8 @@ poll_add(void *arg, struct event *ev)
 		}
 		pop->event_r_back = tmp_event_r_back;
 
-		tmp_event_w_back = realloc(pop->event_w_back,
-			    tmp_event_count * sizeof(struct event *));
+		tmp_event_w_back = reallocarray(pop->event_w_back,
+		    tmp_event_count, sizeof(struct event *));
 		if (tmp_event_w_back == NULL) {
 			/* event_set and event_r_back overallocated; that's
 			 * okay. */
@@ -264,8 +264,8 @@ poll_add(void *arg, struct event *ev)
 			new_count = pop->fd_count * 2;
 		while (new_count <= ev->ev_fd)
 			new_count *= 2;
-		tmp_idxplus1_by_fd =
-			realloc(pop->idxplus1_by_fd, new_count * sizeof(int));
+		tmp_idxplus1_by_fd = reallocarray(pop->idxplus1_by_fd,
+		    new_count, sizeof(int));
 		if (tmp_idxplus1_by_fd == NULL) {
 			event_warn("realloc");
 			return (-1);
diff --git a/lib/libevent/signal.c b/lib/libevent/signal.c
index c967bca1c47..156a5250c55 100644
--- a/lib/libevent/signal.c
+++ b/lib/libevent/signal.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: signal.c,v 1.17 2014/10/06 21:16:03 bluhm Exp $	*/
+/*	$OpenBSD: signal.c,v 1.18 2014/10/08 05:41:42 deraadt Exp $	*/
 
 /*
  * Copyright 2000-2002 Niels Provos <provos@citi.umich.edu>
@@ -152,7 +152,7 @@ _evsignal_set_handler(struct event_base *base,
 		int new_max = evsignal + 1;
 		event_debug(("%s: evsignal (%d) >= sh_old_max (%d), resizing",
 			    __func__, evsignal, sig->sh_old_max));
-		p = realloc(sig->sh_old, new_max * sizeof(*sig->sh_old));
+		p = reallocarray(sig->sh_old, new_max, sizeof(*sig->sh_old));
 		if (p == NULL) {
 			event_warn("realloc");
 			return (-1);