diff options
| author | Wayne Davison <wayned@samba.org> | 2008-04-08 08:01:43 -0700 |
|---|---|---|
| committer | Wayne Davison <wayned@samba.org> | 2008-04-08 08:01:43 -0700 |
| commit | 1fe2a3533f8cf7aeec4d823219ba23a42fbddb5d (patch) | |
| tree | 2a6525f5c6376b2a601f96a25eacac2082a697ea /util.c | |
| parent | 237e9a178f834d5c63e2576d140326ecd2a519af (diff) | |
| download | rsync-1fe2a3533f8cf7aeec4d823219ba23a42fbddb5d.tar.gz rsync-1fe2a3533f8cf7aeec4d823219ba23a42fbddb5d.tar.bz2 rsync-1fe2a3533f8cf7aeec4d823219ba23a42fbddb5d.zip | |
Fixed a potential overflow issue with realloc() that Sebastian Krahmer
pointed out.
Diffstat (limited to 'util.c')
| -rw-r--r-- | util.c | 7 |
1 files changed, 5 insertions, 2 deletions
@@ -1329,7 +1329,7 @@ void *_new_array(unsigned long num, unsigned int size, int use_calloc) return use_calloc ? calloc(num, size) : malloc(num * size); } -void *_realloc_array(void *ptr, unsigned int size, unsigned long num) +void *_realloc_array(void *ptr, unsigned int size, size_t num) { if (num >= MALLOC_MAX/size) return NULL; @@ -1550,7 +1550,10 @@ void *expand_item_list(item_list *lp, size_t item_size, new_size += incr; else new_size *= 2; - new_ptr = realloc_array(lp->items, char, new_size * item_size); + if (new_size < lp->malloced) + overflow_exit("expand_item_list"); + /* Using _realloc_array() lets us pass the size, not a type. */ + new_ptr = _realloc_array(lp->items, item_size, new_size); if (verbose >= 4) { rprintf(FINFO, "[%s] expand %s to %.0f bytes, did%s move\n", who_am_i(), desc, (double)new_size * item_size, |