From 36812092ecb11a25ca9d6d87fdeaf53e371c5043 Mon Sep 17 00:00:00 2001
From: Damien Miller <djm@mindrot.org>
Date: Sun, 26 Mar 2006 14:22:47 +1100
Subject:    - djm@cvs.openbsd.org 2006/03/25 01:13:23      [buffer.c
 channels.c deattack.c misc.c scp.c session.c sftp-client.c]     
 [sftp-server.c ssh-agent.c ssh-rsa.c xmalloc.c xmalloc.h auth-pam.c]     
 [uidswap.c]      change OpenSSH's xrealloc() function from being xrealloc(p,
 new_size)      to xrealloc(p, new_nmemb, new_itemsize).

     realloc is particularly prone to integer overflows because it is
     almost always allocating "n * size" bytes, so this is a far safer
     API; ok deraadt@
---
 xmalloc.c | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

(limited to 'xmalloc.c')

diff --git a/xmalloc.c b/xmalloc.c
index 6d56781d9..d5d7b6bc5 100644
--- a/xmalloc.c
+++ b/xmalloc.c
@@ -35,7 +35,7 @@ xcalloc(size_t nmemb, size_t size)
 {
 	void *ptr;
 
-        if (nmemb && size && SIZE_T_MAX / nmemb < size)
+	if (nmemb && size && SIZE_T_MAX / nmemb < size)
 		fatal("xcalloc: nmemb * size > SIZE_T_MAX");
 	if (size == 0 || nmemb == 0)
 		fatal("xcalloc: zero size");
@@ -47,10 +47,13 @@ xcalloc(size_t nmemb, size_t size)
 }
 
 void *
-xrealloc(void *ptr, size_t new_size)
+xrealloc(void *ptr, size_t nmemb, size_t size)
 {
 	void *new_ptr;
+	size_t new_size = nmemb * size;
 
+	if (nmemb && size && SIZE_T_MAX / nmemb < size)
+		fatal("xrealloc: nmemb * size > SIZE_T_MAX");
 	if (new_size == 0)
 		fatal("xrealloc: zero size");
 	if (ptr == NULL)
@@ -58,7 +61,8 @@ xrealloc(void *ptr, size_t new_size)
 	else
 		new_ptr = realloc(ptr, new_size);
 	if (new_ptr == NULL)
-		fatal("xrealloc: out of memory (new_size %lu bytes)", (u_long) new_size);
+		fatal("xrealloc: out of memory (new_size %lu bytes)",
+		    (u_long) new_size);
 	return new_ptr;
 }
 
-- 
cgit v1.2.3