From 9a8aaa01f21a60e2f5f372b9722e363b36254df9 Mon Sep 17 00:00:00 2001
From: Damien Miller <djm@cvs.openbsd.org>
Date: Sat, 25 Mar 2006 01:13:24 +0000
Subject: change OpenSSH's xrealloc() function from being xrealloc(p, new_size)
 to xrealloc(p, new_nmemb, new_itemsize).

realloc is particularly prone to integer overflows because it is almost
always allocating "n * size" bytes, so this is a far safer API;
ok deraadt@
---
 usr.bin/ssh/sftp-client.c | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

(limited to 'usr.bin/ssh/sftp-client.c')

diff --git a/usr.bin/ssh/sftp-client.c b/usr.bin/ssh/sftp-client.c
index 82ae32900b9..46f1ab554fd 100644
--- a/usr.bin/ssh/sftp-client.c
+++ b/usr.bin/ssh/sftp-client.c
@@ -389,8 +389,7 @@ do_lsreaddir(struct sftp_conn *conn, char *path, int printflag,
 				printf("%s\n", longname);
 
 			if (dir) {
-				*dir = xrealloc(*dir, sizeof(**dir) *
-				    (ents + 2));
+				*dir = xrealloc(*dir, ents + 2, sizeof(**dir));
 				(*dir)[ents] = xmalloc(sizeof(***dir));
 				(*dir)[ents]->filename = xstrdup(filename);
 				(*dir)[ents]->longname = xstrdup(longname);
-- 
cgit v1.2.3