[Bug 209078] Minor bugs in vidcontrol
bugzilla-noreply at freebsd.org
bugzilla-noreply at freebsd.org
Tue Apr 26 19:05:44 UTC 2016
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=209078
Bug ID: 209078
Summary: Minor bugs in vidcontrol
Product: Base System
Version: 11.0-CURRENT
Hardware: Any
OS: Any
Status: New
Severity: Affects Only Me
Priority: ---
Component: misc
Assignee: freebsd-bugs at FreeBSD.org
Reporter: cturt at hardenedbsd.org
There is a memory leak in the `vidcontrol` utility in the `load_vt4font`:
usr.sbin/vidcontrol/vidcontrol.c:
static int
load_vt4font(FILE *f)
{
struct vt4font_header fh;
static vfnt_t vfnt;
size_t glyphsize;
unsigned int i;
if (fread(&fh, sizeof fh, 1, f) != 1) {
perror("file_header");
return (1);
}
if (memcmp(fh.magic, "VFNT0002", 8) != 0) {
fprintf(stderr, "Bad magic\n");
return (1);
}
for (i = 0; i < VFNT_MAPS; i++)
vfnt.map_count[i] = be32toh(fh.map_count[i]);
vfnt.glyph_count = be32toh(fh.glyph_count);
vfnt.width = fh.width;
vfnt.height = fh.height;
glyphsize = howmany(vfnt.width, 8) * vfnt.height * vfnt.glyph_count;
vfnt.glyphs = malloc(glyphsize);
if (fread(vfnt.glyphs, glyphsize, 1, f) != 1) {
perror("glyphs");
return (1);
}
for (i = 0; i < VFNT_MAPS; i++)
vfnt.map[i] = load_vt4mappingtable(vfnt.map_count[i], f);
if (ioctl(STDIN_FILENO, PIO_VFONT, &vfnt) == -1) {
perror("PIO_VFONT");
return (1);
}
return (0);
}
After the `vfnt.glyphs` buffer has been allocated with `malloc`, the function
can return without freeing the buffer if `fread` or `ioctl` fail.
This is only a minor bug, since the process exits almost immediately after
calling this function anyway, but I would like to `free` the buffer as a matter
of code correctness.
This function also doesn't check the return result of `malloc`, which could
lead to writing to `NULL` if the allocation fails.
My proposal is to add the following lines to this function:
vfnt.glyphs = malloc(glyphsize);
+ if (vfnt.glyphs == NULL) {
+ perror("malloc");
+ return (1);
+ }
if (fread(vfnt.glyphs, glyphsize, 1, f) != 1) {
perror("glyphs");
+ free(vfnt.glyphs);
return (1);
}
for (i = 0; i < VFNT_MAPS; i++)
vfnt.map[i] = load_vt4mappingtable(vfnt.map_count[i], f);
if (ioctl(STDIN_FILENO, PIO_VFONT, &vfnt) == -1) {
perror("PIO_VFONT");
+ free(vfnt.glyphs);
return (1);
}
--
You are receiving this mail because:
You are the assignee for the bug.
More information about the freebsd-bugs
mailing list