Fixed a potential overflow issue with realloc() that Sebastian Krahmer

pointed out.

Fixed a potential overflow issue with realloc() that Sebastian Krahmer
pointed out.
1fe2a353 · Wayne Davison · 237e9a17 · 1fe2a353
Commit 1fe2a353 authored Apr 08, 2008 by Wayne Davison
Hide whitespace changes
Inline Side-by-side

Showing with 5 additions and 2 deletions

util.c util.c +5 -2

No files found.
--- a/util.c
+++ b/util.c
@@ -1329,7 +1329,7 @@ void *_new_array(unsigned long num, unsigned int size, int use_calloc)
 	return use_calloc ? calloc(num, size) : malloc(num * size);
 }

-void *_realloc_array(void *ptr, unsigned int size, unsigned long num)
+void *_realloc_array(void *ptr, unsigned int size, size_t num)
 {
 	if (num >= MALLOC_MAX/size)
 		return NULL;
@@ -1550,7 +1550,10 @@ void *expand_item_list(item_list *lp, size_t item_size,
 			new_size += incr;
 		else
 			new_size *= 2;
-		new_ptr = realloc_array(lp->items, char, new_size * item_size);
+		if (new_size < lp->malloced)
+			overflow_exit("expand_item_list");
+		/* Using _realloc_array() lets us pass the size, not a type. */
+		new_ptr = _realloc_array(lp->items, item_size, new_size);
 		if (verbose >= 4) {
 			rprintf(FINFO, "[%s] expand %s to %.0f bytes, did%s move\n",
 				who_am_i(), desc, (double)new_size * item_size,