Watch out for wrapping arithmetics when calling malloc

andoma · andoma · commit 4fcf3a29f554 · 2017-09-07T19:41:44.000-07:00
diff --git a/db.c b/db.c
@@ -818,7 +818,7 @@ db_upgrade_schema(const char *schema_bundle)
       return -1;
     }
 
-    char *x = malloc(len + 1);
+    char *x = malloc_add(len, 1);
     memcpy(x, q, len);
     filebundle_free(q);
     x[len] = 0;
diff --git a/htsbuf.c b/htsbuf.c
@@ -30,6 +30,7 @@
 #include <sys/param.h>
 
 #include "htsbuf.h"
+#include "misc.h"
 
 /**
  *
@@ -418,7 +419,7 @@ htsbuf_append_and_escape_jsonstr(htsbuf_queue_t *hq, const char *str)
 char *
 htsbuf_to_string(htsbuf_queue_t *hq)
 {
-  char *r = malloc(hq->hq_size + 1);
+  char *r = malloc_add(hq->hq_size, 1);
   r[hq->hq_size] = 0;
   htsbuf_read(hq, r, hq->hq_size);
   return r;
diff --git a/htsmsg_binary.c b/htsmsg_binary.c
@@ -29,6 +29,7 @@
 #include <string.h>
 
 #include "htsmsg_binary.h"
+#include "misc.h"
 
 /*
  *
@@ -62,7 +63,7 @@ htsmsg_binary_des0(htsmsg_t *msg, const uint8_t *buf, size_t len)
     f->hmf_type  = type;
 
     if(namelen > 0) {
-      n = malloc(namelen + 1);
+      n = malloc_add(namelen, 1);
       memcpy(n, buf, namelen);
       n[namelen] = 0;
 
@@ -79,7 +80,7 @@ htsmsg_binary_des0(htsmsg_t *msg, const uint8_t *buf, size_t len)
 
     switch(type) {
     case HMF_STR:
-      f->hmf_str = n = malloc(datalen + 1);
+      f->hmf_str = n = malloc_add(datalen, 1);
       memcpy(n, buf, datalen);
       n[datalen] = 0;
       f->hmf_flags |= HMF_ALLOCED;
@@ -274,7 +275,7 @@ htsmsg_binary_serialize(htsmsg_t *msg, void **datap, size_t *lenp, int maxlen)
   if(len + 4 > maxlen)
     return -1;
 
-  data = malloc(len + 4);
+  data = malloc_add(len, 4);
 
   data[0] = len >> 24;
   data[1] = len >> 16;
diff --git a/http.c b/http.c
@@ -945,7 +945,7 @@ http_route_add(const char *path, http_callback2_t *callback, int flags)
     if(path[i] == '/')
       hr->hr_depth++;
 
-  char *p = malloc(len + 2);
+  char *p = malloc_add(len, 2);
   p[0] = '^';
   strcpy(p+1, path);
 
@@ -1192,7 +1192,7 @@ http_headers_complete(http_parser *p)
       return -1;
     }
     assert(hc->hc_body == NULL);
-    hc->hc_body = malloc(p->content_length + 1);
+    hc->hc_body = malloc_add(p->content_length, 1);
     if(hc->hc_body == NULL)
       return -1;
 
@@ -1936,7 +1936,7 @@ ws_dispatch(void *aux)
 
     size_t used = 0;
     size_t bufsize = 1000;
-    char *buf = malloc(bufsize + 1);
+    char *buf = malloc_add(bufsize, 1);
 
     while(1) {
       z->next_out = (void *)buf + used;
diff --git a/irc.c b/irc.c
@@ -190,7 +190,7 @@ irc_send(irc_client_t *ic, const char *fmt, ...)
   buf[l++]  = '\r';
   buf[l++]  = '\n';
 
-  irc_out_msg_t *iom = malloc(sizeof(irc_out_msg_t) + l);
+  irc_out_msg_t *iom = malloc_add(sizeof(irc_out_msg_t), l);
   iom->iom_length = l;
   memcpy(iom->iom_data, buf, l);
   TAILQ_INSERT_TAIL(&ic->ic_cmdq, iom, iom_link);
@@ -1074,7 +1074,7 @@ irc_msg_channel(const char *url, const char *channel,
 
         if(*str == '\n')
           str++;
-        irc_out_msg_t *iom = malloc(sizeof(irc_out_msg_t) + len);
+        irc_out_msg_t *iom = malloc_add(sizeof(irc_out_msg_t), len);
         iom->iom_length = len;
         memcpy(iom->iom_data, buf, len);
         iom->iom_expire = time(NULL) + ttl;
diff --git a/json.c b/json.c
@@ -28,6 +28,7 @@
 #include "json.h"
 #include "utf8.h"
 #include "dbl.h"
+#include "misc.h"
 
 #define NOT_THIS_TYPE ((void *)-1)
 
@@ -108,7 +109,7 @@ json_parse_string(const char *s, const char **endp,
 
       /* End */
       l = s - start;
-      r = malloc(l + 1);
+      r = malloc_add(l, 1);
       memcpy(r, start, l);
       r[l] = 0;
 
diff --git a/misc.c b/misc.c
@@ -376,7 +376,7 @@ readfile(const char *path, time_t *tsp)
   if(tsp != NULL)
     *tsp = st.st_mtime;
 
-  char *mem = malloc(st.st_size + 1);
+  char *mem = malloc_add(st.st_size, 1);
   mem[st.st_size] = 0;
   if(read(fd, mem, st.st_size) != st.st_size) {
     const int errsave = errno;
@@ -915,7 +915,7 @@ str_replace_tokens(char *str, const char *tokenprefix,
     int replacelen = strlen(tokens[i + 1]);
     int newlen = tlen - (d - a) + replacelen;
 
-    char *n = malloc(newlen + 1);
+    char *n = malloc_add(newlen, 1);
     memcpy(n, str, a - str);
     memcpy(n + (a - str), tokens[i + 1], replacelen);
     memcpy(n + (a - str) + replacelen, d, tlen - (d - str));
@@ -933,9 +933,7 @@ str_replace_tokens(char *str, const char *tokenprefix,
 char *
 bin2str(const void *src, size_t len)
 {
-  if(len > 1024L * 1024L * 1024L * 3L)
-    return NULL;
-  char *r = malloc(len + 1);
+  char *r = malloc_add(len, 1);
   r[len] = 0;
   memcpy(r, src, len);
   return r;
@@ -1009,3 +1007,22 @@ get_ts_mono(void)
   clock_gettime(CLOCK_MONOTONIC, &tv);
   return (int64_t)tv.tv_sec * 1000000LL + (tv.tv_nsec / 1000);
 }
+
+
+void *
+malloc_add(size_t a, size_t b)
+{
+  size_t c;
+  if(__builtin_add_overflow(a, b, &c))
+    return NULL;
+  return malloc(c);
+}
+
+void *
+malloc_mul(size_t a, size_t b)
+{
+  size_t c;
+  if(__builtin_mul_overflow(a, b, &c))
+    return NULL;
+  return malloc(c);
+}
diff --git a/misc.h b/misc.h
@@ -149,3 +149,7 @@ void freeuint8p(uint8_t **ptr);
 char *fmtv(const char *fmt, va_list ap);
 
 char *fmt(const char *fmt, ...)  __attribute__ ((format (printf, 1, 2)));
+
+void *malloc_add(size_t a, size_t b);
+
+void *malloc_mul(size_t a, size_t b);
diff --git a/ntv.c b/ntv.c
@@ -31,6 +31,8 @@
 #include <inttypes.h>
 #include <sys/param.h>
 #include "ntv.h"
+#include "misc.h"
+
 
 ntv_t *
 ntv_create(ntv_type type)
@@ -589,8 +591,8 @@ ntv_cmp_map(const ntv_t *aa, const ntv_t *bb)
   if(num == 0)
     return 0;
 
-  av = malloc(num * sizeof(ntv_t *));
-  bv = malloc(num * sizeof(ntv_t *));
+  av = malloc_mul(num, sizeof(ntv_t *));
+  bv = malloc_mul(num, sizeof(ntv_t *));
 
   i = 0;
   NTV_FOREACH(a, aa)
diff --git a/ntv_binary.c b/ntv_binary.c
@@ -27,7 +27,7 @@
 
 #include "ntv.h"
 #include "mbuf.h"
-
+#include "misc.h"
 
 // These values are selected based on bytes that must never occur in
 // UTF8 strings. Just to accidentally avoid parsing text as NTV for
@@ -195,7 +195,7 @@ ntv_read_string(const uint8_t *data, const uint8_t *dataend, char **res)
   if(data == NULL)
     return NULL;
 
-  char *r = *res = malloc(u64 + 1);
+  char *r = *res = malloc_add(u64, 1);
   if(r == NULL)
     return NULL;
 
diff --git a/ntv_msgpack.c b/ntv_msgpack.c
@@ -28,6 +28,7 @@
 #include "ntv.h"
 #include "mbuf.h"
 #include "bytestream.h"
+#include "misc.h"
 
 static void
 msgpack_write_byte(mbuf_t *hq, uint8_t c)
@@ -247,7 +248,7 @@ msgpack_read_data(const uint8_t *data, const uint8_t *dataend, void *res,
   if(length > dataend - data)
     return msgpack_err(data, ec, "EOF, trying to read %d bytes", length);
 
-  char *r = malloc(length + 1);
+  char *r = malloc_add(length, 1);
   if(r == NULL)
     return msgpack_err(data, ec, "Out of memory");
 
diff --git a/strvec.c b/strvec.c
@@ -34,7 +34,7 @@ strvec_push_alloced(strvec_t *vec, char *value)
 static void
 strvec_pushl(strvec_t *vec, const char *value, size_t len)
 {
-  char *x = malloc(len + 1);
+  char *x = malloc_add(len, 1);
   memcpy(x, value, len);
   x[len] = 0;
   strvec_push_alloced(vec, x);
@@ -142,7 +142,7 @@ strvec_copy(strvec_t *dst, const strvec_t *src)
   // We trim the capacity down to the actual size here
   dst->count = dst->capacity = src->count;
 
-  dst->v = malloc(dst->count * sizeof(dst->v[0]));
+  dst->v = malloc_mul(dst->count, sizeof(dst->v[0]));
   for(int i = 0; i < dst->count; i++)
     dst->v[i] = src->v[i] ? strdup(src->v[i]) : NULL;
 }
diff --git a/talloc.c b/talloc.c
@@ -28,6 +28,7 @@
 #include <stdarg.h>
 
 #include "talloc.h"
+#include "misc.h"
 
 typedef struct talloc_item {
   struct talloc_item *next;
@@ -111,7 +112,7 @@ talloc_insert(talloc_item_t *t)
 void *
 talloc_malloc(size_t s)
 {
-  talloc_item_t *t = malloc(s + sizeof(talloc_item_t));
+  talloc_item_t *t = malloc_add(s, sizeof(talloc_item_t));
   talloc_insert(t);
   return t + 1;
 }
@@ -123,9 +124,10 @@ talloc_malloc(size_t s)
 void *
 talloc_zalloc(size_t s)
 {
-  talloc_item_t *t = calloc(1, s + sizeof(talloc_item_t));
-  talloc_insert(t);
-  return t + 1;
+  void *x = talloc_malloc(s);
+  if(x != NULL)
+    memset(x, 0, s);
+  return x;
 }
 
 
diff --git a/tcp.c b/tcp.c
@@ -46,6 +46,7 @@
 #include <openssl/x509v3.h>
 
 #include "tcp.h"
+#include "misc.h"
 
 static SSL_CTX *ssl_ctx;
 static pthread_mutex_t *ssl_locks;
@@ -788,7 +789,7 @@ tcp_init1(const char *extra_ca, int init_ssl)
     SSL_load_error_strings();
 
     int i, n = CRYPTO_num_locks();
-    ssl_locks = malloc(sizeof(pthread_mutex_t) * n);
+    ssl_locks = malloc_mul(sizeof(pthread_mutex_t), n);
     for(i = 0; i < n; i++)
       pthread_mutex_init(&ssl_locks[i], NULL);
 
diff --git a/websocket_client.c b/websocket_client.c
@@ -148,7 +148,7 @@ wsc_read(ws_client_t *wsc, struct htsbuf_queue *hq)
 
     if(hq->hq_size < hoff + len)
       return;
-    uint8_t *d = malloc(len+1);
+    uint8_t *d = malloc_add(len, 1);
     htsbuf_drop(hq, hoff);
     htsbuf_read(hq, d, len);
     d[len] = 0;

Original file line number	Diff line number	Diff line change
`@@ -818,7 +818,7 @@ db_upgrade_schema(const char *schema_bundle)`
`818`	`818`	`return -1;`
`819`	`819`	`}`
`820`	`820`
`821`		`- char *x = malloc(len + 1);`
	`821`	`+ char *x = malloc_add(len, 1);`
`822`	`822`	`memcpy(x, q, len);`
`823`	`823`	`filebundle_free(q);`
`824`	`824`	`x[len] = 0;`
Original file line number	Diff line number	Diff line change
`@@ -30,6 +30,7 @@`
`30`	`30`	`#include <sys/param.h>`
`31`	`31`
`32`	`32`	`#include "htsbuf.h"`
	`33`	`+#include "misc.h"`
`33`	`34`
`34`	`35`	`/**`
`35`	`36`	`*`
`@@ -418,7 +419,7 @@ htsbuf_append_and_escape_jsonstr(htsbuf_queue_t hq, const char str)`
`418`	`419`	`char *`
`419`	`420`	`htsbuf_to_string(htsbuf_queue_t *hq)`
`420`	`421`	`{`
`421`		`- char *r = malloc(hq->hq_size + 1);`
	`422`	`+ char *r = malloc_add(hq->hq_size, 1);`
`422`	`423`	`r[hq->hq_size] = 0;`
`423`	`424`	`htsbuf_read(hq, r, hq->hq_size);`
`424`	`425`	`return r;`