From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from krisdoz.my.domain (schwarze@localhost [127.0.0.1])
	by krisdoz.my.domain (8.14.5/8.14.5) with ESMTP id s3NL6giv000536
	for <source@mdocml.bsd.lv>; Wed, 23 Apr 2014 17:06:42 -0400 (EDT)
Received: (from schwarze@localhost)
	by krisdoz.my.domain (8.14.5/8.14.3/Submit) id s3NL6fG3009154;
	Wed, 23 Apr 2014 17:06:41 -0400 (EDT)
Date: Wed, 23 Apr 2014 17:06:41 -0400 (EDT)
Message-Id: <201404232106.s3NL6fG3009154@krisdoz.my.domain>
X-Mailinglist: mdocml-source
Reply-To: source@mdocml.bsd.lv
MIME-Version: 1.0
From: schwarze@mdocml.bsd.lv
To: source@mdocml.bsd.lv
Subject: mdocml: Audit malloc(3)/calloc(3)/realloc(3) usage.
X-Mailer: activitymail 1.26, http://search.cpan.org/dist/activitymail/
Content-Type: text/plain; charset=utf-8

Log Message:
-----------
Audit malloc(3)/calloc(3)/realloc(3) usage.
* Change eight reallocs to reallocarray to be safe from overflows.
* Change one malloc to reallocarray to be safe from overflows.
* Change one calloc to reallocarray, no zeroing needed.
* Change the order of arguments of three callocs (aesthetical).

Modified Files:
--------------
    mdocml:
        LICENSE
        Makefile
        configure
        eqn.c
        mandoc_aux.c
        mandoc_aux.h
        mandocdb.c
        manpath.c
        mansearch.c
        mdoc_argv.c
        mdoc_validate.c
        term.c
        term_ps.c

Added Files:
-----------
    mdocml:
        compat_reallocarray.c
        test-reallocarray.c

Revision Data
-------------
Index: term.c
===================================================================
RCS file: /usr/vhosts/mdocml.bsd.lv/cvs/mdocml/term.c,v
retrieving revision 1.222
retrieving revision 1.223
diff -Lterm.c -Lterm.c -u -p -r1.222 -r1.223
--- term.c
+++ term.c
@@ -522,7 +522,7 @@ adjbuf(struct termp *p, size_t sz)
 	while (sz >= p->maxcols)
 		p->maxcols <<= 2;
 
-	p->buf = mandoc_realloc(p->buf, sizeof(int) * p->maxcols);
+	p->buf = mandoc_reallocarray(p->buf, p->maxcols, sizeof(int));
 }
 
 static void
Index: mansearch.c
===================================================================
RCS file: /usr/vhosts/mdocml.bsd.lv/cvs/mdocml/mansearch.c,v
retrieving revision 1.35
retrieving revision 1.36
diff -Lmansearch.c -Lmansearch.c -u -p -r1.35 -r1.36
--- mansearch.c
+++ mansearch.c
@@ -328,8 +328,8 @@ mansearch(const struct mansearch *search
 				mp = ohash_next(&htab, &idx)) {
 			if (cur + 1 > maxres) {
 				maxres += 1024;
-				*res = mandoc_realloc(*res,
-				    maxres * sizeof(struct manpage));
+				*res = mandoc_reallocarray(*res,
+				    maxres, sizeof(struct manpage));
 			}
 			mpage = *res + cur;
 			mpage->form = mp->form;
@@ -793,7 +793,7 @@ static void *
 hash_halloc(size_t sz, void *arg)
 {
 
-	return(mandoc_calloc(sz, 1));
+	return(mandoc_calloc(1, sz));
 }
 
 static void *
Index: mandoc_aux.c
===================================================================
RCS file: /usr/vhosts/mdocml.bsd.lv/cvs/mdocml/mandoc_aux.c,v
retrieving revision 1.1
retrieving revision 1.2
diff -Lmandoc_aux.c -Lmandoc_aux.c -u -p -r1.1 -r1.2
--- mandoc_aux.c
+++ mandoc_aux.c
@@ -80,6 +80,18 @@ mandoc_realloc(void *ptr, size_t size)
 	return(ptr);
 }
 
+void *
+mandoc_reallocarray(void *ptr, size_t num, size_t size)
+{
+
+	ptr = reallocarray(ptr, num, size);
+	if (NULL == ptr) {
+		perror(NULL);
+		exit((int)MANDOCLEVEL_SYSERR);
+	}
+	return(ptr);
+}
+
 char *
 mandoc_strdup(const char *ptr)
 {
Index: term_ps.c
===================================================================
RCS file: /usr/vhosts/mdocml.bsd.lv/cvs/mdocml/term_ps.c,v
retrieving revision 1.59
retrieving revision 1.60
diff -Lterm_ps.c -Lterm_ps.c -u -p -r1.59 -r1.60
--- term_ps.c
+++ term_ps.c
@@ -628,12 +628,8 @@ pdf_obj(struct termp *p, size_t obj)
 
 	if ((obj - 1) >= p->ps->pdfobjsz) {
 		p->ps->pdfobjsz = obj + 128;
-		p->ps->pdfobjs = realloc(p->ps->pdfobjs,
-		    p->ps->pdfobjsz * sizeof(size_t));
-		if (NULL == p->ps->pdfobjs) {
-			perror(NULL);
-			exit((int)MANDOCLEVEL_SYSERR);
-		}
+		p->ps->pdfobjs = mandoc_reallocarray(p->ps->pdfobjs,
+		    p->ps->pdfobjsz, sizeof(size_t));
 	}
 
 	p->ps->pdfobjs[(int)obj - 1] = p->ps->pdfbytes;
@@ -1169,7 +1165,5 @@ ps_growbuf(struct termp *p, size_t sz)
 		sz = PS_BUFSLOP;
 
 	p->ps->psmargsz += sz;
-
-	p->ps->psmarg = mandoc_realloc
-		(p->ps->psmarg, p->ps->psmargsz);
+	p->ps->psmarg = mandoc_realloc(p->ps->psmarg, p->ps->psmargsz);
 }
Index: manpath.c
===================================================================
RCS file: /usr/vhosts/mdocml.bsd.lv/cvs/mdocml/manpath.c,v
retrieving revision 1.14
retrieving revision 1.15
diff -Lmanpath.c -Lmanpath.c -u -p -r1.14 -r1.15
--- manpath.c
+++ manpath.c
@@ -169,8 +169,8 @@ manpath_add(struct manpaths *dirs, const
 		if (0 == strcmp(dirs->paths[i], dir))
 			return;
 
-	dirs->paths = mandoc_realloc(dirs->paths,
-	    (dirs->sz + 1) * sizeof(char *));
+	dirs->paths = mandoc_reallocarray(dirs->paths,
+	    dirs->sz + 1, sizeof(char *));
 
 	dirs->paths[dirs->sz++] = mandoc_strdup(cp);
 }
Index: eqn.c
===================================================================
RCS file: /usr/vhosts/mdocml.bsd.lv/cvs/mdocml/eqn.c,v
retrieving revision 1.41
retrieving revision 1.42
diff -Leqn.c -Leqn.c -u -p -r1.41 -r1.42
--- eqn.c
+++ eqn.c
@@ -864,8 +864,8 @@ eqn_do_define(struct eqn_node *ep)
 
 		if (i == (int)ep->defsz) {
 			ep->defsz++;
-			ep->defs = mandoc_realloc(ep->defs,
-			    ep->defsz * sizeof(struct eqn_def));
+			ep->defs = mandoc_reallocarray(ep->defs,
+			    ep->defsz, sizeof(struct eqn_def));
 			ep->defs[i].key = ep->defs[i].val = NULL;
 		}
 
Index: mdoc_validate.c
===================================================================
RCS file: /usr/vhosts/mdocml.bsd.lv/cvs/mdocml/mdoc_validate.c,v
retrieving revision 1.213
retrieving revision 1.214
diff -Lmdoc_validate.c -Lmdoc_validate.c -u -p -r1.213 -r1.214
--- mdoc_validate.c
+++ mdoc_validate.c
@@ -1460,8 +1460,8 @@ post_bl_block_tag(POST_ARGS)
 	assert(n->args);
 	i = (int)(n->args->argc)++;
 
-	n->args->argv = mandoc_realloc(n->args->argv,
-	    n->args->argc * sizeof(struct mdoc_argv));
+	n->args->argv = mandoc_reallocarray(n->args->argv,
+	    n->args->argc, sizeof(struct mdoc_argv));
 
 	n->args->argv[i].arg = MDOC_Width;
 	n->args->argv[i].line = n->line;
@@ -1521,8 +1521,8 @@ post_bl_head(POST_ARGS)
 	 */
 
 	np->args->argv[j].sz = (size_t)mdoc->last->nchild;
-	np->args->argv[j].value = mandoc_malloc(
-	    (size_t)mdoc->last->nchild * sizeof(char *));
+	np->args->argv[j].value = mandoc_reallocarray(NULL,
+	    (size_t)mdoc->last->nchild, sizeof(char *));
 
 	mdoc->last->norm->Bl.ncols = np->args->argv[j].sz;
 	mdoc->last->norm->Bl.cols = (void *)np->args->argv[j].value;
Index: mandocdb.c
===================================================================
RCS file: /usr/vhosts/mdocml.bsd.lv/cvs/mdocml/mandocdb.c,v
retrieving revision 1.143
retrieving revision 1.144
diff -Lmandocdb.c -Lmandocdb.c -u -p -r1.143 -r1.144
--- mandocdb.c
+++ mandocdb.c
@@ -471,8 +471,8 @@ main(int argc, char *argv[])
 		 * manpath_parse() wants to do it.
 		 */
 		if (argc > 0) {
-			dirs.paths = mandoc_calloc(argc,
-			    sizeof(char *));
+			dirs.paths = mandoc_reallocarray(NULL,
+			    argc, sizeof(char *));
 			dirs.sz = (size_t)argc;
 			for (i = 0; i < argc; i++)
 				dirs.paths[i] = mandoc_strdup(argv[i]);
@@ -1784,7 +1784,7 @@ putkeys(const struct mpage *mpage,
 		s->mask |= v;
 		return;
 	} else if (NULL == s) {
-		s = mandoc_calloc(sizeof(struct str) + sz + 1, 1);
+		s = mandoc_calloc(1, sizeof(struct str) + sz + 1);
 		memcpy(s->key, cp, sz);
 		ohash_insert(htab, slot, s);
 	}
@@ -2314,7 +2314,7 @@ static void *
 hash_halloc(size_t sz, void *arg)
 {
 
-	return(mandoc_calloc(sz, 1));
+	return(mandoc_calloc(1, sz));
 }
 
 static void *
--- /dev/null
+++ test-reallocarray.c
@@ -0,0 +1,7 @@
+#include <stdlib.h>
+
+int
+main(void)
+{
+	return( ! reallocarray(NULL, 2, 2));
+}
Index: configure
===================================================================
RCS file: /usr/vhosts/mdocml.bsd.lv/cvs/mdocml/configure,v
retrieving revision 1.2
retrieving revision 1.3
diff -Lconfigure -Lconfigure -u -p -r1.2 -r1.3
--- configure
+++ configure
@@ -34,6 +34,7 @@ runtest fgetln FGETLN
 runtest getsubopt GETSUBOPT
 runtest mmap MMAP
 runtest ohash OHASH
+runtest reallocarray REALLOCARRAY
 runtest strcasestr STRCASESTR
 runtest strlcat STRLCAT
 runtest strlcpy STRLCPY
Index: mdoc_argv.c
===================================================================
RCS file: /usr/vhosts/mdocml.bsd.lv/cvs/mdocml/mdoc_argv.c,v
retrieving revision 1.92
retrieving revision 1.93
diff -Lmdoc_argv.c -Lmdoc_argv.c -u -p -r1.92 -r1.93
--- mdoc_argv.c
+++ mdoc_argv.c
@@ -359,8 +359,8 @@ mdoc_argv(struct mdoc *mdoc, int line, e
 		arg = *v = mandoc_calloc(1, sizeof(struct mdoc_arg));
 
 	arg->argc++;
-	arg->argv = mandoc_realloc(arg->argv,
-	    arg->argc * sizeof(struct mdoc_argv));
+	arg->argv = mandoc_reallocarray(arg->argv,
+	    arg->argc, sizeof(struct mdoc_argv));
 
 	memcpy(&arg->argv[(int)arg->argc - 1], &tmp,
 	    sizeof(struct mdoc_argv));
@@ -667,8 +667,8 @@ argv_multi(struct mdoc *mdoc, int line,
 			break;
 
 		if (0 == v->sz % MULTI_STEP)
-			v->value = mandoc_realloc(v->value,
-			    (v->sz + MULTI_STEP) * sizeof(char *));
+			v->value = mandoc_reallocarray(v->value,
+			    v->sz + MULTI_STEP, sizeof(char *));
 
 		v->value[(int)v->sz] = mandoc_strdup(p);
 	}
Index: Makefile
===================================================================
RCS file: /usr/vhosts/mdocml.bsd.lv/cvs/mdocml/Makefile,v
retrieving revision 1.417
retrieving revision 1.418
diff -LMakefile -LMakefile -u -p -r1.417 -r1.418
--- Makefile
+++ Makefile
@@ -64,6 +64,7 @@ TESTSRCS	 = test-fgetln.c \
 		   test-getsubopt.c \
 		   test-mmap.c \
 		   test-ohash.c \
+		   test-reallocarray.c \
 		   test-strlcat.c \
 		   test-strlcpy.c \
 		   test-strnlen.c \
@@ -86,6 +87,7 @@ SRCS		 = LICENSE \
 		   compat_getsubopt.c \
 		   compat_ohash.c \
 		   compat_ohash.h \
+		   compat_reallocarray.c \
 		   compat_strcasestr.c \
 		   compat_strlcat.c \
 		   compat_strlcpy.c \
@@ -213,6 +215,7 @@ LIBMANDOC_OBJS	 = $(LIBMAN_OBJS) \
 COMPAT_OBJS	 = compat_fgetln.o \
 		   compat_getsubopt.o \
 		   compat_ohash.o \
+		   compat_reallocarray.o \
 		   compat_strcasestr.o \
 		   compat_strlcat.o \
 		   compat_strlcpy.o \
--- /dev/null
+++ compat_reallocarray.c
@@ -0,0 +1,45 @@
+#ifdef HAVE_CONFIG_H
+#include "config.h"
+#endif
+
+#ifdef HAVE_REALLOCARRAY
+
+int dummy;
+
+#else
+
+/*	$OpenBSD: malloc.c,v 1.158 2014/04/23 15:07:27 tedu Exp $	*/
+/*
+ * Copyright (c) 2008 Otto Moerbeek <otto@drijf.net>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+#include <sys/types.h>
+#include <errno.h>
+#include <stdint.h>
+#include <stdlib.h>
+
+#define MUL_NO_OVERFLOW (1UL << (sizeof(size_t) * 4))
+
+void *
+reallocarray(void *optr, size_t nmemb, size_t size)
+{
+	if ((nmemb >= MUL_NO_OVERFLOW || size >= MUL_NO_OVERFLOW) &&
+	    nmemb > 0 && SIZE_MAX / nmemb < size) {
+		errno = ENOMEM;
+		return NULL;
+	}
+	return realloc(optr, size * nmemb);
+}
+
+#endif /*!HAVE_REALLOCARRAY*/
Index: LICENSE
===================================================================
RCS file: /usr/vhosts/mdocml.bsd.lv/cvs/mdocml/LICENSE,v
retrieving revision 1.1
retrieving revision 1.2
diff -LLICENSE -LLICENSE -u -p -r1.1 -r1.2
--- LICENSE
+++ LICENSE
@@ -10,6 +10,7 @@ Copyright (c) 2009, 2010, 2011, 2012 Joe
 Copyright (c) 2013 Franco Fichtner <franco@lastsummer.de>
 Copyright (c) 1999, 2004 Marc Espie <espie@openbsd.org>
 Copyright (c) 1998, 2010 Todd C. Miller <Todd.Miller@courtesan.com>
+Copyright (c) 2008 Otto Moerbeek <otto@drijf.net>
 Copyright (c) 2003 Jason McIntyre <jmc@openbsd.org>
 
 See the individual source files for information about who contributed
Index: mandoc_aux.h
===================================================================
RCS file: /usr/vhosts/mdocml.bsd.lv/cvs/mdocml/mandoc_aux.h,v
retrieving revision 1.1
retrieving revision 1.2
diff -Lmandoc_aux.h -Lmandoc_aux.h -u -p -r1.1 -r1.2
--- mandoc_aux.h
+++ mandoc_aux.h
@@ -24,6 +24,7 @@ int		  mandoc_asprintf(char **, const ch
 void		 *mandoc_calloc(size_t, size_t);
 void		 *mandoc_malloc(size_t);
 void		 *mandoc_realloc(void *, size_t);
+void		 *mandoc_reallocarray(void *, size_t, size_t);
 char		 *mandoc_strdup(const char *);
 char		 *mandoc_strndup(const char *, size_t);
 
--
 To unsubscribe send an email to source+unsubscribe@mdocml.bsd.lv