Check for overflow in the addition in snew_plus().

We were carefully checking for overflow inside safemalloc() before multiplying together the two factors of the desired allocation size. But snew_plus() did an addition _outside_ safemalloc, without the same guard. Now that addition also happens inside safemalloc.
2025-07-18 11:31:00 -05:00 · 2019-06-28 19:38:45 +01:00
parent c191ff129c
commit 81609be052
2 changed files with 26 additions and 17 deletions
--- a/puttymem.h
+++ b/puttymem.h
@ -10,13 +10,13 @@

 #include "defs.h"

-#define smalloc(z) safemalloc(z,1)
+#define smalloc(z) safemalloc(z,1,0)
 #define snmalloc safemalloc
 #define srealloc(y,z) saferealloc(y,z,1)
 #define snrealloc saferealloc
 #define sfree safefree

-void *safemalloc(size_t, size_t);
+void *safemalloc(size_t factor1, size_t factor2, size_t addend);
 void *saferealloc(void *, size_t, size_t);
 void safefree(void *);

@ -28,8 +28,8 @@ void safefree(void *);
 * TYPECHECK to verify that the _input_ pointer is a pointer to the
 * correct type.
 */
-#define snew(type) ((type *)snmalloc(1, sizeof(type)))
-#define snewn(n, type) ((type *)snmalloc((n), sizeof(type)))
+#define snew(type) ((type *)snmalloc(1, sizeof(type), 0))
+#define snewn(n, type) ((type *)snmalloc((n), sizeof(type), 0))
 #define sresize(ptr, n, type) TYPECHECK((type *)0 == (ptr), \
    ((type *)snrealloc((ptr), (n), sizeof(type))))

@ -45,7 +45,7 @@ void safefree(void *);
 * result to void *, so you can assign it straight to wherever you
 * wanted it.
 */
-#define snew_plus(type, extra) ((type *)snmalloc(1, sizeof(type) + (extra)))
+#define snew_plus(type, extra) ((type *)snmalloc(1, sizeof(type), (extra)))
 #define snew_plus_get_aux(ptr) ((void *)((ptr) + 1))

 /*