Protect against integer overflow in malloca() calls.

diff --git a/ChangeLog b/ChangeLog
index 5d9655ba2781684297d1f13b04a6d66c34eac92d..32c0264e1feaf43df9489840b8c54f4cb0e041e5 100644 (file)
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,15 @@
+2007-12-30  Bruno Haible  <bruno@clisp.org>
+
+       * lib/malloca.h (nmalloca): New macro.
+       * lib/c-strcasestr.c (knuth_morris_pratt): Use it.
+       * lib/c-strstr.c (knuth_morris_pratt): Likewise.
+       * lib/mbscasestr.c (knuth_morris_pratt_unibyte,
+       knuth_morris_pratt_multibyte): Likewise.
+       * lib/mbsstr.c (knuth_morris_pratt_unibyte,
+       knuth_morris_pratt_multibyte): Likewise.
+       * lib/memmem.c (knuth_morris_pratt): Likewise.
+       * lib/strcasestr.c (knuth_morris_pratt): Likewise.
+
 2007-12-25  Bruno Haible  <bruno@clisp.org>
 
        Fixup after 2007-10-17 commit. Ensure that 'glob' stays under LGPLv2+.

diff --git a/lib/c-strcasestr.c b/lib/c-strcasestr.c
index 76732d20ff74338543cf5072c40b4c7ca8687770..36b2a9f5ce1aa4b18479ff84f7fa3a85754fee63 100644 (file)
--- a/lib/c-strcasestr.c
+++ b/lib/c-strcasestr.c
@@ -37,7 +37,7 @@ knuth_morris_pratt (const char *haystack, const char *needle,
   size_t m = strlen (needle);
 
   /* Allocate the table.  */
-  size_t *table = (size_t *) malloca (m * sizeof (size_t));
+  size_t *table = (size_t *) nmalloca (m, sizeof (size_t));
   if (table == NULL)
     return false;
   /* Fill the table.

diff --git a/lib/c-strstr.c b/lib/c-strstr.c
index 58ae2c51cff6cf9625fc508cb544754674bd40ee..3652100e6237036e835e638f55fe27d69aa2c20b 100644 (file)
--- a/lib/c-strstr.c
+++ b/lib/c-strstr.c
@@ -36,7 +36,7 @@ knuth_morris_pratt (const char *haystack, const char *needle,
   size_t m = strlen (needle);
 
   /* Allocate the table.  */
-  size_t *table = (size_t *) malloca (m * sizeof (size_t));
+  size_t *table = (size_t *) nmalloca (m, sizeof (size_t));
   if (table == NULL)
     return false;
   /* Fill the table.

diff --git a/lib/malloca.h b/lib/malloca.h
index 2f74b9617012850dff8bc9e126c3b3d927079e2f..5bb2d47348438109a962e64471e01a70f1815cda 100644 (file)
--- a/lib/malloca.h
+++ b/lib/malloca.h
@@ -70,9 +70,19 @@ extern void freea (void *p);
 # define freea free
 #endif
 
-/* Maybe we should also define a variant
-    nmalloca (size_t n, size_t s) - behaves like malloca (n * s)
-   If this would be useful in your application. please speak up.  */
+/* nmalloca(N,S) is an overflow-safe variant of malloca (N * S).
+   It allocates an array of N objects, each with S bytes of memory,
+   on the stack.  S must be positive and N must be nonnegative.
+   The array must be freed using freea() before the function returns.  */
+#if 1
+/* Cf. the definition of xalloc_oversized.  */
+# define nmalloca(n, s) \
+    ((n) > (size_t) (sizeof (ptrdiff_t) <= sizeof (size_t) ? -1 : -2) / (s) \
+     ? NULL \
+     : malloca ((n) * (s)))
+#else
+extern void * nmalloca (size_t n, size_t s);
+#endif
 
 
 #ifdef __cplusplus

diff --git a/lib/mbscasestr.c b/lib/mbscasestr.c
index a5491e4c9bfaed910185d5741af3816d9cc5969e..7205cca1e919314798150c9bba851da4309cd26e 100644 (file)
--- a/lib/mbscasestr.c
+++ b/lib/mbscasestr.c
@@ -42,7 +42,7 @@ knuth_morris_pratt_unibyte (const char *haystack, const char *needle,
   size_t m = strlen (needle);
 
   /* Allocate the table.  */
-  size_t *table = (size_t *) malloca (m * sizeof (size_t));
+  size_t *table = (size_t *) nmalloca (m, sizeof (size_t));
   if (table == NULL)
     return false;
   /* Fill the table.
@@ -164,7 +164,7 @@ knuth_morris_pratt_multibyte (const char *haystack, const char *needle,
   size_t *table;
 
   /* Allocate room for needle_mbchars and the table.  */
-  char *memory = (char *) malloca (m * (sizeof (mbchar_t) + sizeof (size_t)));
+  char *memory = (char *) nmalloca (m, sizeof (mbchar_t) + sizeof (size_t));
   if (memory == NULL)
     return false;
   needle_mbchars = (mbchar_t *) memory;

diff --git a/lib/mbsstr.c b/lib/mbsstr.c
index f875207184ecb264ecb7a7145312347b8e9f4088..420be08436a3876ec34f941839ad104d8c56029d 100644 (file)
--- a/lib/mbsstr.c
+++ b/lib/mbsstr.c
@@ -39,7 +39,7 @@ knuth_morris_pratt_unibyte (const char *haystack, const char *needle,
   size_t m = strlen (needle);
 
   /* Allocate the table.  */
-  size_t *table = (size_t *) malloca (m * sizeof (size_t));
+  size_t *table = (size_t *) nmalloca (m, sizeof (size_t));
   if (table == NULL)
     return false;
   /* Fill the table.
@@ -160,7 +160,7 @@ knuth_morris_pratt_multibyte (const char *haystack, const char *needle,
   size_t *table;
 
   /* Allocate room for needle_mbchars and the table.  */
-  char *memory = (char *) malloca (m * (sizeof (mbchar_t) + sizeof (size_t)));
+  char *memory = (char *) nmalloca (m, sizeof (mbchar_t) + sizeof (size_t));
   if (memory == NULL)
     return false;
   needle_mbchars = (mbchar_t *) memory;

diff --git a/lib/memmem.c b/lib/memmem.c
index b7f3e12c6cbba2989019250c9ad188a6685d8e36..57c6560323c042b8060c012c4711b3328e5dccee 100644 (file)
--- a/lib/memmem.c
+++ b/lib/memmem.c
@@ -39,10 +39,7 @@ knuth_morris_pratt (const char *haystack, const char *last_haystack,
                     const char **resultp)
 {
   /* Allocate the table.  */
-  size_t *table;
-  if ((size_t) -1 / sizeof (size_t) < m)
-    return false;
-  table = (size_t *) malloca (m * sizeof (size_t));
+  size_t *table = (size_t *) nmalloca (m, sizeof (size_t));
   if (table == NULL)
     return false;
   /* Fill the table.

diff --git a/lib/strcasestr.c b/lib/strcasestr.c
index 27145dd37d5d442a694f17055c68253457b21c02..dfbf925b792ae2aefe27eddafad0ff1e34c309a9 100644 (file)
--- a/lib/strcasestr.c
+++ b/lib/strcasestr.c
@@ -39,7 +39,7 @@ knuth_morris_pratt (const char *haystack, const char *needle,
   size_t m = strlen (needle);
 
   /* Allocate the table.  */
-  size_t *table = (size_t *) malloca (m * sizeof (size_t));
+  size_t *table = (size_t *) nmalloca (m, sizeof (size_t));
   if (table == NULL)
     return false;
   /* Fill the table.