userland reallocarray audit.

Replace malloc() and realloc() calls that may have integer overflow in the
multiplication of the arguments with reallocarray().

ok deraadt@

2 files changed, 5 insertions, 4 deletions

diff --git a/usr.bin/ftp/fetch.c b/usr.bin/ftp/fetch.c
index 20ae6924af9..ddd0efbb69a 100644
--- a/usr.bin/ftp/fetch.c
+++ b/usr.bin/ftp/fetch.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: fetch.c,v 1.131 2014/10/06 11:47:25 jca Exp $	*/
+/*	$OpenBSD: fetch.c,v 1.132 2014/10/08 04:01:10 doug Exp $	*/
 /*	$NetBSD: fetch.c,v 1.14 1997/08/18 10:20:20 lukem Exp $	*/
 
 /*-
@@ -1512,7 +1512,7 @@ SSL_readline(struct ressl *ssl, size_t *lenp)
 		errx(1, "Can't allocate memory for transfer buffer");
 	for (i = 0; ; i++) {
 		if (i >= len - 1) {
-			if ((q = realloc(buf, 2 * len)) == NULL)
+			if ((q = reallocarray(buf, len, 2)) == NULL)
 				errx(1, "Can't expand transfer buffer");
 			buf = q;
 			len *= 2;
diff --git a/usr.bin/ftp/stringlist.c b/usr.bin/ftp/stringlist.c
index ea65fcdbfbd..1c5e346b4c6 100644
--- a/usr.bin/ftp/stringlist.c
+++ b/usr.bin/ftp/stringlist.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: stringlist.c,v 1.10 2009/05/05 19:35:30 martynas Exp $	*/
+/*	$OpenBSD: stringlist.c,v 1.11 2014/10/08 04:01:10 doug Exp $	*/
 /*	$NetBSD: stringlist.c,v 1.2 1997/01/17 07:26:20 lukem Exp $	*/
 
 /*
@@ -70,7 +70,8 @@ sl_add(StringList *sl, char *name)
 {
 	if (sl->sl_cur == sl->sl_max - 1) {
 		sl->sl_max += _SL_CHUNKSIZE;
-		sl->sl_str = realloc(sl->sl_str, sl->sl_max * sizeof(char *));
+		sl->sl_str = reallocarray(sl->sl_str, sl->sl_max,
+		    sizeof(char *));
 		if (sl->sl_str == NULL)
 			err(1, "stringlist");
 	}