From 387c92ab2fdb66fc231c21acf1358113a774df17 Mon Sep 17 00:00:00 2001 From: deraadt Date: Mon, 13 Apr 2015 05:11:23 +0000 Subject: [PATCH] correct multiplication idiom during xreallocarray, and expand appendnum to size_t to avoid overflow after allocation success ok guenther doug --- usr.bin/sed/extern.h | 4 ++-- usr.bin/sed/process.c | 16 +++++++++------- 2 files changed, 11 insertions(+), 9 deletions(-) diff --git a/usr.bin/sed/extern.h b/usr.bin/sed/extern.h index 2f11a308157..6d2c0324cfd 100644 --- a/usr.bin/sed/extern.h +++ b/usr.bin/sed/extern.h @@ -1,4 +1,4 @@ -/* $OpenBSD: extern.h,v 1.8 2015/01/19 15:30:52 krw Exp $ */ +/* $OpenBSD: extern.h,v 1.9 2015/04/13 05:11:23 deraadt Exp $ */ /*- * Copyright (c) 1992 Diomidis Spinellis. * Copyright (c) 1992, 1993 @@ -39,7 +39,7 @@ extern struct s_appends *appends; extern regmatch_t *match; extern size_t maxnsub; extern u_long linenum; -extern int appendnum; +extern size_t appendnum; extern int lastline; extern int Eflag, aflag, eflag, nflag; extern char *fname; diff --git a/usr.bin/sed/process.c b/usr.bin/sed/process.c index dee318952da..12385b844a4 100644 --- a/usr.bin/sed/process.c +++ b/usr.bin/sed/process.c @@ -1,4 +1,4 @@ -/* $OpenBSD: process.c,v 1.21 2014/12/12 03:22:35 jsg Exp $ */ +/* $OpenBSD: process.c,v 1.22 2015/04/13 05:11:23 deraadt Exp $ */ /*- * Copyright (c) 1992 Diomidis Spinellis. @@ -67,7 +67,7 @@ static int substitute(struct s_command *); struct s_appends *appends; /* Array of pointers to strings to append. */ static int appendx; /* Index into appends array. */ -int appendnum; /* Size of appends array. */ +size_t appendnum; /* Size of appends array. */ static int lastaddr; /* Set by applies if last address of a range. */ static int sdone; /* If any substitutes since last line input. */ @@ -103,8 +103,8 @@ redirect: case 'a': if (appendx >= appendnum) { appends = xreallocarray(appends, - appendnum *= 2, - sizeof(struct s_appends)); + appendnum, + 2 * sizeof(struct s_appends)); appendnum *= 2; } appends[appendx].type = AP_STRING; @@ -196,10 +196,12 @@ redirect: flush_appends(); exit(0); case 'r': - if (appendx >= appendnum) + if (appendx >= appendnum) { appends = xreallocarray(appends, - appendnum *= 2, - sizeof(struct s_appends)); + appendnum, + 2 * sizeof(struct s_appends)); + appendnum *= 2; + } appends[appendx].type = AP_FILE; appends[appendx].s = cp->t; appends[appendx].len = strlen(cp->t); -- 2.20.1