[Developers] fix to integer overflow bug in PUGH

David Rideout rideout at aei.mpg.de
Fri Apr 6 08:36:25 CDT 2007


The malloc calls in PUGH compute the size to allocate from an int expression. 
This patch casts such expressions to size_t.  This fixes PR 2088.

Patch also includes a check that malloc returns a non-NULL result...

Thanks to Erik Schnetter for pointing me to the solution.

-David
SW5kZXg6IFN0b3JhZ2UuYw0KPT09PT09PT09PT09PT09PT09PT09PT09PT09
PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PQ0KUkNT
IGZpbGU6IC9jYWN0dXNkZXZjdnMvQ2FjdHVzUFVHSC9QVUdIL3NyYy9TdG9y
YWdlLmMsdg0KcmV0cmlldmluZyByZXZpc2lvbiAxLjUyDQpkaWZmIC1jIC1y
MS41MiBTdG9yYWdlLmMNCioqKiBTdG9yYWdlLmMJMTUgSnVuIDIwMDYgMTY6
MTU6MTkgLTAwMDAJMS41Mg0KLS0tIFN0b3JhZ2UuYwk2IEFwciAyMDA3IDEz
OjM5OjE2IC0wMDAwDQoqKioqKioqKioqKioqKioNCioqKiA2MTMsNjE5ICoq
KioNCiAgICAgICAgICBHQS0+cGFkZGRhdGEgPSBOVUxMOw0KICAgICAgICB9
DQogIA0KISAgICAgICBpZiAoR0EtPmV4dHJhcy0+bnBvaW50cyAqIEdBLT52
YXJzaXplICogR0EtPnZlY3Rvcl9zaXplIDw9IDApDQogICAgICAgIHsNCiAg
ICAgICAgICAvKiBvbmx5IHdhcm4gaWYgdGhlIGdsb2JhbCBhcnJheSBzaXpl
IGlzIGFsc28gemVybyAqLw0KICAgICAgICAgIGZvciAoaSA9IDAsIGdsb2Jh
bF9zaXplID0gMTsgaSA8IEdBLT5leHRyYXMtPmRpbTsgaSsrKQ0KLS0tIDYx
Myw2MTkgLS0tLQ0KICAgICAgICAgIEdBLT5wYWRkZGF0YSA9IE5VTEw7DQog
ICAgICAgIH0NCiAgDQohICAgICAgIGlmICgoc2l6ZV90KSBHQS0+ZXh0cmFz
LT5ucG9pbnRzICogR0EtPnZhcnNpemUgKiBHQS0+dmVjdG9yX3NpemUgPD0g
MCkNCiAgICAgICAgew0KICAgICAgICAgIC8qIG9ubHkgd2FybiBpZiB0aGUg
Z2xvYmFsIGFycmF5IHNpemUgaXMgYWxzbyB6ZXJvICovDQogICAgICAgICAg
Zm9yIChpID0gMCwgZ2xvYmFsX3NpemUgPSAxOyBpIDwgR0EtPmV4dHJhcy0+
ZGltOyBpKyspDQoqKioqKioqKioqKioqKioNCioqKiA2MzEsNjQ2ICoqKioN
CiAgICAgICAgZWxzZSBpZiAoISBteV9wYWRkaW5nX2FjdGl2ZSkNCiAgICAg
ICAgew0KICAgICAgICAgIC8qIEVhc3kgY2FzZS4gKi8NCiEgICAgICAgICBH
QS0+ZGF0YSA9IG1hbGxvYyAoR0EtPmV4dHJhcy0+bnBvaW50cyAqIEdBLT52
YXJzaXplICogR0EtPnZlY3Rvcl9zaXplKTsNCiAgICAgICAgICBHQS0+cGFk
ZGRhdGEgPSBHQS0+ZGF0YTsNCiAgICAgICAgfQ0KICAgICAgICBlbHNlDQog
ICAgICAgIHsNCiAgICAgICAgICAvKiBVc2UgdGhlIENhY3R1cyBDYWNoZSBh
bGlnbm1lbnQgZnVuY3Rpb24gKi8NCiAgICAgICAgICBHQS0+ZGF0YSA9IFV0
aWxfQ2FjaGVNYWxsb2MgKEdBLT5hcnJheWlkLA0KISAgICAgICAgICAgICAg
ICAgICAgICAgICAgICAgICAgICAgICAgR0EtPmV4dHJhcy0+bnBvaW50cyAq
IEdBLT52YXJzaXplICogR0EtPnZlY3Rvcl9zaXplLA0KICAgICAgICAgICAg
ICAgICAgICAgICAgICAgICAgICAgICAgICAgJkdBLT5wYWRkZGF0YSk7DQog
ICAgICAgIH0NCiAgICAgICAgR0EtPm5wb2ludHMgPSBHQS0+ZXh0cmFzLT5u
cG9pbnRzOw0KICAjaWZkZWYgREVCVUdfUFVHSA0KICAgICAgICBwcmludGYg
KCIgUFVHSF9FbmFibGVHQXJyYXlEYXRhU3RvcmFnZTogbmV3IHBvaW50ZXIg
aXMgJXAgKCVwKVxuIiwNCi0tLSA2MzEsNjUxIC0tLS0NCiAgICAgICAgZWxz
ZSBpZiAoISBteV9wYWRkaW5nX2FjdGl2ZSkNCiAgICAgICAgew0KICAgICAg
ICAgIC8qIEVhc3kgY2FzZS4gKi8NCiEgICAgICAgICBHQS0+ZGF0YSA9IG1h
bGxvYyAoKHNpemVfdCkgR0EtPmV4dHJhcy0+bnBvaW50cyAqIEdBLT52YXJz
aXplICogR0EtPnZlY3Rvcl9zaXplKTsNCiAgICAgICAgICBHQS0+cGFkZGRh
dGEgPSBHQS0+ZGF0YTsNCiAgICAgICAgfQ0KICAgICAgICBlbHNlDQogICAg
ICAgIHsNCiAgICAgICAgICAvKiBVc2UgdGhlIENhY3R1cyBDYWNoZSBhbGln
bm1lbnQgZnVuY3Rpb24gKi8NCiAgICAgICAgICBHQS0+ZGF0YSA9IFV0aWxf
Q2FjaGVNYWxsb2MgKEdBLT5hcnJheWlkLA0KISAgICAgICAgICAgICAgICAg
ICAgICAgICAgICAgICAgICAgICAgKHNpemVfdCkgR0EtPmV4dHJhcy0+bnBv
aW50cyAqIEdBLT52YXJzaXplICogR0EtPnZlY3Rvcl9zaXplLA0KICAgICAg
ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJkdBLT5wYWRkZGF0
YSk7DQogICAgICAgIH0NCisgICAgICAgaWYgKCFHQS0+ZGF0YSkNCisgICAg
ICAgew0KKyAJQ0NUS19WV2FybigwLCBfX0xJTkVfXywgX19GSUxFX18sIEND
VEtfVEhPUk5TVFJJTkcsICJFcnJvciBhbGxvY2F0aW5nIG1lbW9yeSBibG9j
ayBvZiBzaXplICINCisgCQkgICAiJWx1IiwgKHNpemVfdCkgR0EtPmV4dHJh
cy0+bnBvaW50cyAqIEdBLT52YXJzaXplICogR0EtPnZlY3Rvcl9zaXplKTsN
CisgICAgICAgfQ0KICAgICAgICBHQS0+bnBvaW50cyA9IEdBLT5leHRyYXMt
Pm5wb2ludHM7DQogICNpZmRlZiBERUJVR19QVUdIDQogICAgICAgIHByaW50
ZiAoIiBQVUdIX0VuYWJsZUdBcnJheURhdGFTdG9yYWdlOiBuZXcgcG9pbnRl
ciBpcyAlcCAoJXApXG4iLA0K


--- StripMime Report -- processed MIME parts ---
multipart/mixed
  text/plain (text body -- kept)
  text/plain (text body -- kept)
---


More information about the Developers mailing list