From 9dd1c4b8f742632caabca69c0071f95587012d12 Mon Sep 17 00:00:00 2001 From: giraffedata Date: Thu, 28 Nov 2013 00:07:53 +0000 Subject: Fix: wrong check or no check for asprintf/vasprintf failure git-svn-id: http://svn.code.sf.net/p/netpbm/code/trunk@2041 9d0c8265-081b-0410-96cb-a4ca84ce46f8 --- doc/HISTORY | 3 +++ lib/util/nstring.c | 7 +++++-- lib/util/vasprintf.c | 6 ++++-- 3 files changed, 12 insertions(+), 4 deletions(-) diff --git a/doc/HISTORY b/doc/HISTORY index a3effd50..b069e540 100644 --- a/doc/HISTORY +++ b/doc/HISTORY @@ -22,6 +22,9 @@ not yet BJH Release 10.65.00 if invoked with SIGCHLD ignored. Introduced in 10.56 (September 2011). + Fix wild pointer dereference when memory allocation for a string + fails. Broken since 10.36 (September 2006). + Build for big-endian machines: fix syntax error so it compiles. Introduced in 10.63 (June 2013). diff --git a/lib/util/nstring.c b/lib/util/nstring.c index ef47cbe1..bb2ba92e 100644 --- a/lib/util/nstring.c +++ b/lib/util/nstring.c @@ -791,9 +791,12 @@ pm_asprintf(const char ** const resultP, va_list varargs; #if HAVE_VASPRINTF + int rc; va_start(varargs, fmt); - vasprintf((char **)&result, fmt, varargs); + rc = vasprintf((char **)&result, fmt, varargs); va_end(varargs); + if (rc < 0) + result = pm_strsol; #else size_t dryRunLen; @@ -805,7 +808,7 @@ pm_asprintf(const char ** const resultP, if (dryRunLen + 1 < dryRunLen) /* arithmetic overflow */ - result = NULL; + result = pm_strsol; else { size_t const allocSize = dryRunLen + 1; char * buffer; diff --git a/lib/util/vasprintf.c b/lib/util/vasprintf.c index 209827eb..e38252fa 100644 --- a/lib/util/vasprintf.c +++ b/lib/util/vasprintf.c @@ -18,9 +18,11 @@ pm_vasprintf(const char ** const resultP, char * result; #if HAVE_VASPRINTF - vasprintf(&result, format, varargs); + int rc; - if (result == NULL) + rc = vasprintf(&result, format, varargs); + + if (rc < 0) *resultP = pm_strsol; else *resultP = result; -- cgit 1.4.1