bin/83363: [ PATCH ] Improper handling of malloc's failures within libedit library

Wed Jul 13 01:40:19 GMT 2005

>Number:         83363
>Category:       bin
>Synopsis:       [ PATCH ] Improper handling of malloc's failures within libedit library
>Confidential:   no
>Severity:       serious
>Priority:       low
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Wed Jul 13 01:40:15 GMT 2005
>Closed-Date:
>Last-Modified:
>Originator:     Dan Lukes
>Release:        FreeBSD 5.4-STABLE i386
>Organization:
Obludarium
>Environment:
System: FreeBSD 5.4-STABLE #8: Sat Jul 9 16:31:08 CEST 2005 i386
lib/libedit/tokenizer.c,v 1.6 2001/10/01 23:00:29 obrien
lib/libedit/history.c,v 1.7 2002/10/14 10:42:38 tjr

>Description:
	Improper handling of malloc's failures 
>How-To-Repeat:
>Fix:

--- patch begins here ---
--- lib/libedit/history.c.ORIG	Thu Oct 24 01:23:09 2002
+++ lib/libedit/history.c	Wed Jul 13 02:42:01 2005
@@ -37,7 +37,7 @@
  */
 
 #if !defined(lint) && !defined(SCCSID)
-static char sccsid[] = "@(#)history.c	8.1 (Berkeley) 6/4/93";
+static volatile char sccsid[] = "@(#)history.c	8.1 (Berkeley) 6/4/93";
 #endif /* not lint && not SCCSID */
 #include <sys/cdefs.h>
 __FBSDID("$FreeBSD: src/lib/libedit/history.c,v 1.7 2002/10/14 10:42:38 tjr Exp $");
@@ -85,9 +85,10 @@
 #define	HENTER(h, ev, str)	(*(h)->h_enter)((h)->h_ref, ev, str)
 #define	HADD(h, ev, str)	(*(h)->h_add)((h)->h_ref, ev, str)
 
-#define	h_malloc(a)	malloc(a)
-#define	h_realloc(a, b)	realloc((a), (b))
-#define	h_free(a)	free(a)
+#define	h_malloc(a)		malloc(a)
+#define	h_realloc(a, b)		realloc((a), (b))
+#define	h_reallocf(a, b)	reallocf((a), (b))
+#define	h_free(a)		free(a)
 
 
 private int history_setsize(History *, HistEvent *, int);
@@ -374,12 +375,16 @@
 {
 
 	h->cursor = (hentry_t *) h_malloc(sizeof(hentry_t));
-	if (h->cursor)
-		h->cursor->ev.str = strdup(str);
-	if (!h->cursor || !h->cursor->ev.str) {
+	if (!h->cursor) {
 		he_seterrev(ev, _HE_MALLOC_FAILED);
 		return (-1);
-	}
+	};
+	h->cursor->ev.str = strdup(str);
+	if (!h->cursor->ev.str) {
+		h_free(h->cursor);
+		he_seterrev(ev, _HE_MALLOC_FAILED);
+		return (-1);
+	};
 	h->cursor->ev.num = ++h->eventid;
 	h->cursor->next = h->list.next;
 	h->cursor->prev = &h->list;
@@ -423,15 +428,17 @@
 {
 	history_t *h = (history_t *) h_malloc(sizeof(history_t));
 
-	if (n <= 0)
-		n = 0;
-	h->eventid = 0;
-	h->cur = 0;
-	h->max = n;
-	h->list.next = h->list.prev = &h->list;
-	h->list.ev.str = NULL;
-	h->list.ev.num = 0;
-	h->cursor = &h->list;
+	if (h != NULL) {
+		if (n <= 0)
+			n = 0;
+		h->eventid = 0;
+		h->cur = 0;
+		h->max = n;
+		h->list.next = h->list.prev = &h->list;
+		h->list.ev.str = NULL;
+		h->list.ev.num = 0;
+		h->cursor = &h->list;
+	};
 	*p = (ptr_t) h;
 }
 
@@ -464,7 +471,14 @@
 	History *h = (History *) h_malloc(sizeof(History));
 	HistEvent ev;
 
+	if (h == NULL) 
+		return(NULL);
+
 	history_def_init(&h->h_ref, &ev, 0);
+	if (h->h_ref == NULL) {
+		h_free(h);
+		return(NULL);
+	}
 	h->h_ent = -1;
 	h->h_next = history_def_next;
 	h->h_first = history_def_first;
@@ -475,7 +489,6 @@
 	h->h_clear = history_def_clear;
 	h->h_enter = history_def_enter;
 	h->h_add = history_def_add;
-
 	return (h);
 }
 
@@ -589,7 +602,7 @@
 	FILE *fp;
 	char *line;
 	size_t sz, max_size;
-	char *ptr;
+	char *ptr = NULL;
 	int i = -1;
 	HistEvent ev;
 
@@ -603,6 +616,8 @@
 		goto done;
 
 	ptr = h_malloc(max_size = 1024);
+	if (ptr == NULL)
+		goto done;
 	for (i = 0; (line = fgetln(fp, &sz)) != NULL; i++) {
 		char c = line[sz];
 
@@ -619,9 +634,9 @@
 		line[sz] = c;
 		HENTER(h, &ev, ptr);
 	}
-	h_free(ptr);
 
 done:
+	h_free(ptr);
 	(void) fclose(fp);
 	return (i);
 }
@@ -637,7 +652,7 @@
 	HistEvent ev;
 	int i = 0, retval;
 	size_t len, max_size;
-	char *ptr;
+	char *ptr = NULL;
 
 	if ((fp = fopen(fname, "w")) == NULL)
 		return (-1);
@@ -645,17 +660,22 @@
 	(void) fchmod(fileno(fp), S_IRUSR|S_IWUSR);
 	(void) fputs(hist_cookie, fp);
 	ptr = h_malloc(max_size = 1024);
+	if (ptr == NULL)
+		goto done;
 	for (retval = HLAST(h, &ev);
 	    retval != -1;
 	    retval = HPREV(h, &ev), i++) {
 		len = strlen(ev.str) * 4;
 		if (len >= max_size) {
 			max_size = (len + 1023) & 1023;
-			ptr = h_realloc(ptr, max_size);
+			ptr = h_reallocf(ptr, max_size);
+			if (ptr == NULL)
+				goto done;
 		}
 		(void) strvis(ptr, ev.str, VIS_WHITE);
 		(void) fprintf(fp, "%s\n", ptr);
 	}
+done:
 	h_free(ptr);
 	(void) fclose(fp);
 	return (i);
--- lib/libedit/tokenizer.c.ORIG	Mon Jul  1 22:53:03 2002
+++ lib/libedit/tokenizer.c	Wed Jul 13 02:42:44 2005
@@ -37,7 +37,7 @@
  */
 
 #if !defined(lint) && !defined(SCCSID)
-static char sccsid[] = "@(#)tokenizer.c	8.1 (Berkeley) 6/4/93";
+static volatile char sccsid[] = "@(#)tokenizer.c	8.1 (Berkeley) 6/4/93";
 #endif /* not lint && not SCCSID */
 #include <sys/cdefs.h>
 __FBSDID("$FreeBSD: src/lib/libedit/tokenizer.c,v 1.6 2001/10/01 23:00:29 obrien Exp $");
@@ -108,22 +108,24 @@
 {
 	Tokenizer *tok = (Tokenizer *) tok_malloc(sizeof(Tokenizer));
 
+	if (tok == NULL)
+		return(NULL);
 	tok->ifs = strdup(ifs ? ifs : IFS);
 	tok->argc = 0;
 	tok->amax = AINCR;
 	tok->argv = (char **) tok_malloc(sizeof(char *) * tok->amax);
-	if (tok->argv == NULL)
-		return (NULL);
-	tok->argv[0] = NULL;
 	tok->wspace = (char *) tok_malloc(WINCR);
-	if (tok->wspace == NULL)
-		return (NULL);
+	if (tok->ifs == NULL || tok->argv == NULL || tok->wspace == NULL) {
+		tok_end(tok);
+		return(NULL);
+	}
+	tok->argv[0] = NULL;
 	tok->wmax = tok->wspace + WINCR;
 	tok->wstart = tok->wspace;
 	tok->wptr = tok->wspace;
 	tok->flags = 0;
 	tok->quote = Q_none;
-
+	
 	return (tok);
 }
 
--- patch ends here ---
>Release-Note:
>Audit-Trail:
>Unformatted:
