From 1a7eef7a38b0f9441fcef01e7d2fde0601d00041 Mon Sep 17 00:00:00 2001
From: Doug Hogan <doug@cvs.openbsd.org>
Date: Sat, 11 Oct 2014 03:08:27 +0000
Subject: Userland reallocarray() audit.

Avoid potential integer overflow in the size argument of malloc() and
realloc() by using reallocarray() to avoid unchecked multiplication.

ok deraadt@
---
 sbin/disklabel/editor.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

(limited to 'sbin/disklabel')

diff --git a/sbin/disklabel/editor.c b/sbin/disklabel/editor.c
index 28da5e4f34b..f323e623db5 100644
--- a/sbin/disklabel/editor.c
+++ b/sbin/disklabel/editor.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: editor.c,v 1.287 2014/07/10 13:31:23 florian Exp $	*/
+/*	$OpenBSD: editor.c,v 1.288 2014/10/11 03:08:26 doug Exp $	*/
 
 /*
  * Copyright (c) 1997-2000 Todd C. Miller <Todd.Miller@courtesan.com>
@@ -567,7 +567,7 @@ again:
 	memcpy(lp, lp_org, sizeof(struct disklabel));
 	lp->d_npartitions = MAXPARTITIONS;
 	lastalloc = alloc_table[index].sz;
-	alloc = malloc(lastalloc * sizeof(struct space_allocation));
+	alloc = reallocarray(NULL, lastalloc, sizeof(struct space_allocation));
 	if (alloc == NULL)
 		errx(4, "out of memory");
 	memcpy(alloc, alloc_table[index].table,
-- 
cgit v1.2.3