From 1fe2a3533f8cf7aeec4d823219ba23a42fbddb5d Mon Sep 17 00:00:00 2001 From: Wayne Davison Date: Tue, 8 Apr 2008 08:01:43 -0700 Subject: Fixed a potential overflow issue with realloc() that Sebastian Krahmer pointed out. --- util.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) (limited to 'util.c') diff --git a/util.c b/util.c index a40ce7b5..a53af8d5 100644 --- a/util.c +++ b/util.c @@ -1329,7 +1329,7 @@ void *_new_array(unsigned long num, unsigned int size, int use_calloc) return use_calloc ? calloc(num, size) : malloc(num * size); } -void *_realloc_array(void *ptr, unsigned int size, unsigned long num) +void *_realloc_array(void *ptr, unsigned int size, size_t num) { if (num >= MALLOC_MAX/size) return NULL; @@ -1550,7 +1550,10 @@ void *expand_item_list(item_list *lp, size_t item_size, new_size += incr; else new_size *= 2; - new_ptr = realloc_array(lp->items, char, new_size * item_size); + if (new_size < lp->malloced) + overflow_exit("expand_item_list"); + /* Using _realloc_array() lets us pass the size, not a type. */ + new_ptr = _realloc_array(lp->items, item_size, new_size); if (verbose >= 4) { rprintf(FINFO, "[%s] expand %s to %.0f bytes, did%s move\n", who_am_i(), desc, (double)new_size * item_size, -- cgit v1.2.3