[PATCH libICE 10/13] add check for malloc

walter harms wharms at bfs.de
Wed Oct 18 16:04:46 UTC 2017


>From ea066aa04dd118187ca0289053bc4ca5caa0a4a8 Mon Sep 17 00:00:00 2001


fix a potential null pointer deference error
convert malloc() to calloc() to have valid
null pointers on error. so we can release
already allocated memory

Signed-off-by: Walter Harms <wharms at bfs.de>
---
 src/register.c | 53 ++++++++++++++++++++++++++++++++++++++++++++++-------
 1 file changed, 46 insertions(+), 7 deletions(-)

diff --git a/src/register.c b/src/register.c
index 833714b..2417dd7 100644
--- a/src/register.c
+++ b/src/register.c
@@ -67,7 +67,9 @@ IceRegisterForProtocolSetup (

     if (i <= _IceLastMajorOpcode)
     {
-	p = _IceProtocols[i - 1].orig_client = malloc (sizeof(_IcePoProtocol));
+        p = _IceProtocols[i - 1].orig_client = calloc (1,sizeof(_IcePoProtocol));
+	if (!p)
+	  return (-1);
 	opcodeRet = i;
     }
     else if (_IceLastMajorOpcode == 255 ||
@@ -82,7 +84,9 @@ IceRegisterForProtocolSetup (
 	    strdup(protocolName);

 	p = _IceProtocols[_IceLastMajorOpcode].orig_client =
-	    malloc (sizeof (_IcePoProtocol));
+	    calloc (1,sizeof (_IcePoProtocol));
+	if (!p)
+	  return (-1);

 	_IceProtocols[_IceLastMajorOpcode].accept_client = NULL;

@@ -95,15 +99,20 @@ IceRegisterForProtocolSetup (
     p->version_count = versionCount;

     p->version_recs = malloc (versionCount * sizeof (IcePoVersionRec));
+    if (!p->version_recs)
+        goto out_of_memory;
+
     memcpy (p->version_recs, versionRecs,
 	versionCount * sizeof (IcePoVersionRec));

     if ((p->auth_count = authCount) > 0)
     {
 	p->auth_names = malloc (authCount * sizeof (char *));
-
+	if (!p->auth_names);
+            goto out_of_memory;
 	p->auth_procs = malloc (authCount * sizeof (IcePoAuthProc));
-
+	if (!p->auth_names);
+            goto out_of_memory;
 	for (i = 0; i < authCount; i++)
 	{
 	    p->auth_names[i] = strdup(authNames[i]);
@@ -119,6 +128,15 @@ IceRegisterForProtocolSetup (
     p->io_error_proc = IOErrorProc;

     return (opcodeRet);
+
+out_of_memory:
+    free(p->auth_procs);
+    free(p->auth_names);
+    free(p->version_recs);
+    free(p->release);
+    free(p->vendor);
+    free(p);
+    return (-1);
 }


@@ -163,7 +181,10 @@ IceRegisterForProtocolReply (
     if (i <= _IceLastMajorOpcode)
     {
 	p = _IceProtocols[i - 1].accept_client =
-	    malloc (sizeof (_IcePaProtocol));
+	  calloc (1,sizeof (_IcePaProtocol));
+	if (!p)
+	  return (-1);
+
 	opcodeRet = i;
     }
     else if (_IceLastMajorOpcode == 255 ||
@@ -180,7 +201,9 @@ IceRegisterForProtocolReply (
 	_IceProtocols[_IceLastMajorOpcode].orig_client = NULL;

 	p = _IceProtocols[_IceLastMajorOpcode].accept_client =
-	    malloc (sizeof (_IcePaProtocol));
+	  calloc (1,sizeof (_IcePaProtocol));
+	if (!p)
+	  return (-1);

 	opcodeRet = ++_IceLastMajorOpcode;
     }
@@ -191,6 +214,9 @@ IceRegisterForProtocolReply (
     p->version_count = versionCount;

     p->version_recs = malloc (versionCount * sizeof (IcePaVersionRec));
+    if (!p->version_recs)
+        goto out_of_memory;
+
     memcpy (p->version_recs, versionRecs,
 	versionCount * sizeof (IcePaVersionRec));

@@ -200,8 +226,12 @@ IceRegisterForProtocolReply (
     if ((p->auth_count = authCount) > 0)
     {
 	p->auth_names = malloc (authCount * sizeof (char *));
+	if (!p->auth_names);
+            goto out_of_memory;

 	p->auth_procs = malloc (authCount * sizeof (IcePaAuthProc));
+	if (!p->auth_names);
+            goto out_of_memory;

 	for (i = 0; i < authCount; i++)
 	{
@@ -220,5 +250,14 @@ IceRegisterForProtocolReply (
     p->io_error_proc = IOErrorProc;

     return (opcodeRet);
-}

+out_of_memory:
+    free(p->auth_procs);
+    free(p->auth_names);
+    free(p->version_recs);
+    free(p->release);
+    free(p->vendor);
+    free(p);
+    return (-1);
+
+}
-- 
2.1.4



More information about the xorg-devel mailing list