1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
|
$NetBSD: patch-src_libjasper_base_jas__malloc.c,v 1.1 2016/05/16 14:03:40 he Exp $
Fix CVE-2008-3520, patches from
https://bugs.gentoo.org/show_bug.cgi?id=222819
--- src/libjasper/base/jas_malloc.c.orig 2007-01-19 21:43:05.000000000 +0000
+++ src/libjasper/base/jas_malloc.c
@@ -76,6 +76,9 @@
/* We need the prototype for memset. */
#include <string.h>
+#include <limits.h>
+#include <errno.h>
+#include <stdint.h>
#include "jasper/jas_malloc.h"
@@ -113,18 +116,50 @@ void jas_free(void *ptr)
void *jas_realloc(void *ptr, size_t size)
{
- return realloc(ptr, size);
+ return ptr ? realloc(ptr, size) : malloc(size);
}
-void *jas_calloc(size_t nmemb, size_t size)
+void *jas_realloc2(void *ptr, size_t nmemb, size_t size)
+{
+ if (!ptr)
+ return jas_alloc2(nmemb, size);
+ if (nmemb && SIZE_MAX / nmemb < size) {
+ errno = ENOMEM;
+ return NULL;
+ }
+ return jas_realloc(ptr, nmemb * size);
+
+}
+
+void *jas_alloc2(size_t nmemb, size_t size)
+{
+ if (nmemb && SIZE_MAX / nmemb < size) {
+ errno = ENOMEM;
+ return NULL;
+ }
+
+ return jas_malloc(nmemb * size);
+}
+
+void *jas_alloc3(size_t a, size_t b, size_t c)
{
- void *ptr;
size_t n;
- n = nmemb * size;
- if (!(ptr = jas_malloc(n * sizeof(char)))) {
- return 0;
+
+ if (a && SIZE_MAX / a < b) {
+ errno = ENOMEM;
+ return NULL;
}
- memset(ptr, 0, n);
+
+ return jas_alloc2(a*b, c);
+}
+
+void *jas_calloc(size_t nmemb, size_t size)
+{
+ void *ptr;
+
+ ptr = jas_alloc2(nmemb, size);
+ if (ptr)
+ memset(ptr, 0, nmemb*size);
return ptr;
}
|