Zsh Mailing List Archive
Messages sorted by: Reverse Date, Date, Thread, Author

[PATCH] Fortify zrealloc append to arrays



Hello,
one user of my project reports crash with message about realloc(), when pasting:

$ openssl req -new -newkey rsa:4096 > regisrealloc(): invalid old size
Connection to localhost closed.

I looked at my code that introduced realloc() to array appends. It
seems that its correctness is guarded by this: before patch, old
pointer (old array) was subject to arrsetfn, which does freearray().
So if string can be freed, it for sure can be realloc()-ed.

That said I have a patch that checks if old pointer isn't nullarray
(static variable) and has the standard getter. A fortification, to
sleep better.

-- 
Best regards,
Sebastian Gniazdowski
diff --git a/Src/params.c b/Src/params.c
index f130934..95272b7 100644
--- a/Src/params.c
+++ b/Src/params.c
@@ -150,6 +150,8 @@ rprompt_indent_unsetfn(Param pm, int exp);
 
 /* Standard methods for get/set/unset pointers in parameters */
 
+static char *nullarray = NULL;
+
 /**/
 mod_export const struct gsu_scalar stdscalar_gsu =
 { strgetfn, strsetfn, stdunsetfn };
@@ -2803,7 +2805,8 @@ setarrvalue(Value v, char **val)
             if (post_assignment_length > pre_assignment_length &&
                     pre_assignment_length <= v->start &&
                     pre_assignment_length > 0 &&
-                    v->pm->gsu.a->setfn == arrsetfn)
+                    v->pm->gsu.a->setfn == arrsetfn && v->pm->gsu.a->getfn == arrgetfn &&
+                    old != &nullarray)
             {
                 p = new = (char **) zrealloc(old, sizeof(char *)
                                            * (post_assignment_length + 1));
@@ -3788,8 +3791,6 @@ strsetfn(Param pm, char *x)
 
 /* Function to get value of an array parameter */
 
-static char *nullarray = NULL;
-
 /**/
 char **
 arrgetfn(Param pm)


Messages sorted by: Reverse Date, Date, Thread, Author