Commit 65931dfd authored by Thomas Roessler's avatar Thomas Roessler

Try to catch a couple of cases in which parameters for malloc calls

could overflow.  Thanks to Timo Sirainen for the heads-up.
parent b0a640c1
......@@ -797,7 +797,7 @@ void _mutt_select_file (char *f, size_t flen, int flags, char ***files, int *num
if (menu->tagged)
{
*numfiles = menu->tagged;
tfiles = safe_malloc (*numfiles * sizeof (char *));
tfiles = safe_calloc (*numfiles, sizeof (char *));
for (i = 0, j = 0; i < state.entrylen; i++)
{
struct folder_file ff = state.entry[i];
......@@ -814,7 +814,7 @@ void _mutt_select_file (char *f, size_t flen, int flags, char ***files, int *num
else if (f[0]) /* no tagged entries. return selected entry */
{
*numfiles = 1;
tfiles = safe_malloc (*numfiles * sizeof (char *));
tfiles = safe_calloc (*numfiles, sizeof (char *));
mutt_expand_path (f, flen);
tfiles[0] = safe_strdup (f);
*files = tfiles;
......
......@@ -148,7 +148,7 @@ static void replace_part (ENTER_STATE *state, size_t from, char *buf)
{
/* Save the suffix */
size_t savelen = state->lastchar - state->curpos;
wchar_t *savebuf = safe_malloc (savelen * sizeof (wchar_t));
wchar_t *savebuf = safe_calloc (savelen, sizeof (wchar_t));
memcpy (savebuf, state->wbuf + state->curpos, savelen * sizeof (wchar_t));
/* Convert to wide characters */
......@@ -657,7 +657,7 @@ self_insert:
{
char **tfiles;
*numfiles = 1;
tfiles = safe_malloc (*numfiles * sizeof (char *));
tfiles = safe_calloc (*numfiles, sizeof (char *));
mutt_expand_path (buf, buflen);
tfiles[0] = safe_strdup (buf);
*files = tfiles;
......
......@@ -665,8 +665,8 @@ int imap_open_mailbox (CONTEXT* ctx)
}
ctx->hdrmax = count;
ctx->hdrs = safe_malloc (count * sizeof (HEADER *));
ctx->v2r = safe_malloc (count * sizeof (int));
ctx->hdrs = safe_calloc (count, sizeof (HEADER *));
ctx->v2r = safe_calloc (count, sizeof (int));
ctx->msgcount = 0;
if (count && (imap_read_headers (idata, 0, count-1) < 0))
{
......
......@@ -52,6 +52,13 @@ void *safe_calloc (size_t nmemb, size_t size)
{
void *p;
if (((size_t) -1) / nmemb <= size)
{
mutt_error _("Integer overflow -- can't allocate memory!");
sleep (1);
mutt_exit (1);
}
if (!nmemb || !size)
return NULL;
if (!(p = calloc (nmemb, size)))
......
......@@ -127,7 +127,7 @@ static int mbox_to_udomain (const char *mbx, char **user, char **domain)
p = strchr (mbx, '@');
if (!p)
return -1;
*user = safe_malloc((p - mbx + 1) * sizeof(mbx[0]));
*user = safe_calloc((p - mbx + 1), sizeof(mbx[0]));
strfcpy (*user, mbx, (p - mbx + 1));
*domain = safe_strdup(p + 1);
return 0;
......
......@@ -1537,7 +1537,15 @@ int mx_close_message (MESSAGE **msg)
void mx_alloc_memory (CONTEXT *ctx)
{
int i;
size_t s = MAX (sizeof (HEADER *), sizeof (int));
if ((ctx->hdrmax + 25) * s < ctx->hdrmax * s)
{
mutt_error _("Integer overflow -- can't allocate memory.");
sleep (1);
mutt_exit (1);
}
if (ctx->hdrs)
{
safe_realloc ((void **) &ctx->hdrs, sizeof (HEADER *) * (ctx->hdrmax += 25));
......@@ -1545,8 +1553,8 @@ void mx_alloc_memory (CONTEXT *ctx)
}
else
{
ctx->hdrs = safe_malloc (sizeof (HEADER *) * (ctx->hdrmax += 25));
ctx->v2r = safe_malloc (sizeof (int) * ctx->hdrmax);
ctx->hdrs = safe_calloc ((ctx->hdrmax += 25), sizeof (HEADER *));
ctx->v2r = safe_calloc (ctx->hdrmax, sizeof (int));
}
for (i = ctx->msgcount ; i < ctx->hdrmax ; i++)
{
......
......@@ -690,10 +690,10 @@ static size_t convert_file_to (FILE *file, const char *fromcode,
if (cd1 == (iconv_t)(-1))
return -1;
cd = safe_malloc (ncodes * sizeof (iconv_t));
score = safe_calloc (1, ncodes * sizeof (size_t));
states = safe_calloc (1, ncodes * sizeof (CONTENT_STATE));
infos = safe_calloc (1, ncodes * sizeof (CONTENT));
cd = safe_calloc (ncodes, sizeof (iconv_t));
score = safe_calloc (ncodes, sizeof (size_t));
states = safe_calloc (ncodes, sizeof (CONTENT_STATE));
infos = safe_calloc (ncodes, sizeof (CONTENT));
for (i = 0; i < ncodes; i++)
if (ascii_strcasecmp (tocodes[i], "UTF-8"))
......
......@@ -379,7 +379,7 @@ char* smime_ask_for_key (char *prompt, char *mailbox, short public)
}
/* Read Entries */
cur = 0;
Table = safe_malloc(sizeof (smime_id) * cert_num);
Table = safe_calloc(cert_num, sizeof (smime_id));
while (!feof(index)) {
numFields = fscanf (index, MUTT_FORMAT(STRING) " %x.%i " MUTT_FORMAT(STRING), fields[0], &hash,
&hash_suffix, fields[2]);
......
......@@ -591,7 +591,7 @@ THREAD *mutt_sort_subthreads (THREAD *thread, int init)
top = thread;
array = safe_malloc ((array_size = 256) * sizeof (THREAD *));
array = safe_calloc ((array_size = 256), sizeof (THREAD *));
while (1)
{
if (init || !thread->sort_key)
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment