From 4a1d0977dbb6eb960ca4deedba90940bcaeecefb Mon Sep 17 00:00:00 2001 From: Alan Coopersmith Date: Sun, 8 May 2022 12:20:58 -0700 Subject: [PATCH 1/2] Import reallocarray() from libX11 (originally from OpenBSD) Wrapper for realloc() that checks for overflow when multiplying arguments together, so we don't have to add overflow checks to every single call. For documentation on usage, see: http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man3/calloc.3 Signed-off-by: Alan Coopersmith --- configure.ac | 1 + src/FSlibos.h | 14 +++++++++++++- src/Makefile.am | 2 +- src/reallocarray.c | 43 +++++++++++++++++++++++++++++++++++++++++++ 4 files changed, 58 insertions(+), 2 deletions(-) create mode 100644 src/reallocarray.c diff --git a/configure.ac b/configure.ac index 2248380..133ee27 100644 --- a/configure.ac +++ b/configure.ac @@ -53,6 +53,7 @@ XTRANS_CONNECTION_FLAGS # Checks for library functions. AC_CHECK_FUNCS([strlcpy strnlen]) +AC_REPLACE_FUNCS([reallocarray]) # Allow checking code with lint, sparse, etc. XORG_WITH_LINT diff --git a/src/FSlibos.h b/src/FSlibos.h index baf9902..c09d36d 100644 --- a/src/FSlibos.h +++ b/src/FSlibos.h @@ -54,6 +54,7 @@ in this Software without prior written authorization from The Open Group. */ #include +#include #include #ifndef WIN32 @@ -270,6 +271,11 @@ typedef fd_set FdSet; #define UnlockDisplay(dis) #define FSfree(ptr) free((ptr)) +#ifndef HAVE_REALLOCARRAY +extern _X_HIDDEN void *fsreallocarray(void *optr, size_t nmemb, size_t size); +# define reallocarray(ptr, n, size) \ + fsreallocarray((ptr), (size_t)(n), (size_t)(size)) +#endif /* * Note that some machines do not return a valid pointer for malloc(0), in @@ -278,16 +284,22 @@ typedef fd_set FdSet; * FSlib code expects malloc(0) to return a valid pointer to storage. */ -#ifdef MALLOC_0_RETURNS_NULL +#if defined(MALLOC_0_RETURNS_NULL) || defined(__clang_analyzer__) # define FSmalloc(size) malloc(((size) > 0 ? (size) : 1)) # define FSrealloc(ptr, size) realloc((ptr), ((size) > 0 ? (size) : 1)) # define FScalloc(nelem, elsize) calloc(((nelem) > 0 ? (nelem) : 1), (elsize)) +# define FSreallocarray(ptr, n, size) \ + reallocarray((ptr), ((n) == 0 ? 1 : (n)), size) #else # define FSmalloc(size) malloc((size)) # define FSrealloc(ptr, size) realloc((ptr), (size)) # define FScalloc(nelem, elsize) calloc((nelem), (elsize)) +# define FSreallocarray(ptr, n, size) reallocarray((ptr), (n), (size)) + #endif +#define FSmallocarray(n, size) FSreallocarray(NULL, (n), (size)) + #define SearchString(string, char) index((string), (char)) diff --git a/src/Makefile.am b/src/Makefile.am index 56fd0db..327be0a 100644 --- a/src/Makefile.am +++ b/src/Makefile.am @@ -38,7 +38,7 @@ AM_CFLAGS = \ AM_CPPFLAGS = -I$(top_srcdir)/include/X11/fonts -libFS_la_LIBADD = $(FS_LIBS) +libFS_la_LIBADD = $(LTLIBOBJS) $(FS_LIBS) libFS_la_LDFLAGS = -export-symbols-regex '^FS.*' -version-number 6:0:0 -no-undefined diff --git a/src/reallocarray.c b/src/reallocarray.c new file mode 100644 index 0000000..aef3843 --- /dev/null +++ b/src/reallocarray.c @@ -0,0 +1,43 @@ +/* $OpenBSD: reallocarray.c,v 1.2 2014/12/08 03:45:00 bcook Exp $ */ +/* + * Copyright (c) 2008 Otto Moerbeek + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ + +#ifdef HAVE_CONFIG_H +#include +#endif + +#include +#include +#include +#include +#include "FSlibos.h" + +/* + * This is sqrt(SIZE_MAX+1), as s1*s2 <= SIZE_MAX + * if both s1 < MUL_NO_OVERFLOW and s2 < MUL_NO_OVERFLOW + */ +#define MUL_NO_OVERFLOW ((size_t)1 << (sizeof(size_t) * 4)) + +void * +fsreallocarray(void *optr, size_t nmemb, size_t size) +{ + if ((nmemb >= MUL_NO_OVERFLOW || size >= MUL_NO_OVERFLOW) && + nmemb > 0 && SIZE_MAX / nmemb < size) { + errno = ENOMEM; + return NULL; + } + return realloc(optr, size * nmemb); +} -- GitLab From ee33ecf31706877e1ab7dc257fadbb3eb535da50 Mon Sep 17 00:00:00 2001 From: Alan Coopersmith Date: Sun, 8 May 2022 12:35:00 -0700 Subject: [PATCH 2/2] Convert code to use FSmallocarray() & FSreallocarray() Provides automatic integer overflow checking in allocation size calculations (Though we already have explicit checks before using values provided over the protocol in calculations, so many were already manually checked.) Signed-off-by: Alan Coopersmith --- src/FSFontInfo.c | 6 +++--- src/FSFtNames.c | 2 +- src/FSGetCats.c | 2 +- src/FSListCats.c | 2 +- src/FSListExt.c | 2 +- src/FSOpenServ.c | 2 +- src/FSQGlyphs.c | 6 +++--- src/FSQXExt.c | 6 +++--- src/FSQXInfo.c | 2 +- 9 files changed, 15 insertions(+), 15 deletions(-) diff --git a/src/FSFontInfo.c b/src/FSFontInfo.c index fd807ae..3a5fe43 100644 --- a/src/FSFontInfo.c +++ b/src/FSFontInfo.c @@ -130,7 +130,7 @@ FSListFontsWithXInfo( if (fhdr) { #define ResizeArray(var, type) { \ - type **tmp = FSrealloc(var, sizeof(type *) * size); \ + type **tmp = FSreallocarray(var, size, sizeof(type *)); \ if (tmp) \ var = tmp; \ else \ @@ -144,7 +144,7 @@ FSListFontsWithXInfo( ResizeArray(pd, unsigned char) } else { #define InitArray(var, type) \ - if ((var = FSmalloc(sizeof(type *) * size)) == NULL) { \ + if ((var = FSmallocarray(size, sizeof(type *))) == NULL) { \ goto badmem; \ } @@ -184,7 +184,7 @@ FSListFontsWithXInfo( goto cleanpi; #endif - po[i] = FSmalloc(pi[i]->num_offsets * sizeof(FSPropOffset)); + po[i] = FSmallocarray(pi[i]->num_offsets, sizeof(FSPropOffset)); if (!po[i]) goto cleanpi; pd[i] = FSmalloc(pi[i]->data_len); diff --git a/src/FSFtNames.c b/src/FSFtNames.c index 1dea246..23c93a3 100644 --- a/src/FSFtNames.c +++ b/src/FSFtNames.c @@ -98,7 +98,7 @@ FSListFonts( && rep.length <= (SIZE_MAX >> 2) #endif ) { - flist = FSmalloc(rep.nFonts * sizeof(char *)); + flist = FSmallocarray(rep.nFonts, sizeof(char *)); rlen = (rep.length << 2) - SIZEOF(fsListFontsReply); c = FSmalloc(rlen + 1); diff --git a/src/FSGetCats.c b/src/FSGetCats.c index d8fae40..4c27a34 100644 --- a/src/FSGetCats.c +++ b/src/FSGetCats.c @@ -79,7 +79,7 @@ FSGetCatalogues( && rep.length <= (SIZE_MAX >> 2) #endif ) { - list = FSmalloc(rep.num_catalogues * sizeof(char *)); + list = FSmallocarray(rep.num_catalogues, sizeof(char *)); rlen = (rep.length << 2) - SIZEOF(fsGetCataloguesReply); c = FSmalloc(rlen + 1); if ((!list) || (!c)) { diff --git a/src/FSListCats.c b/src/FSListCats.c index 2bc1393..9fb380c 100644 --- a/src/FSListCats.c +++ b/src/FSListCats.c @@ -97,7 +97,7 @@ FSListCatalogues( && rep.length <= (SIZE_MAX>>2) #endif ) { - clist = FSmalloc(rep.num_catalogues * sizeof(char *)); + clist = FSmallocarray(rep.num_catalogues, sizeof(char *)); rlen = (rep.length << 2) - SIZEOF(fsListCataloguesReply); c = FSmalloc(rlen + 1); diff --git a/src/FSListExt.c b/src/FSListExt.c index 8d83bd3..a4249f4 100644 --- a/src/FSListExt.c +++ b/src/FSListExt.c @@ -79,7 +79,7 @@ FSListExtensions( && rep.length <= (SIZE_MAX>>2) #endif ) { - list = FSmalloc(rep.nExtensions * sizeof(char *)); + list = FSmallocarray(rep.nExtensions, sizeof(char *)); rlen = (rep.length << 2) - SIZEOF(fsListExtensionsReply); c = FSmalloc(rlen + 1); if ((!list) || (!c)) { diff --git a/src/FSOpenServ.c b/src/FSOpenServ.c index faebe13..5acef9f 100644 --- a/src/FSOpenServ.c +++ b/src/FSOpenServ.c @@ -167,7 +167,7 @@ FSOpenServer(const char *server) } #endif - alts = FSmalloc(sizeof(AlternateServer) * prefix.num_alternates); + alts = FSmallocarray(prefix.num_alternates, sizeof(AlternateServer)); if (!alts) { goto fail; } diff --git a/src/FSQGlyphs.c b/src/FSQGlyphs.c index e40c88a..662da36 100644 --- a/src/FSQGlyphs.c +++ b/src/FSQGlyphs.c @@ -93,7 +93,7 @@ FSQueryXBitmaps8( return FSBadAlloc; #endif - offs = FSmalloc(sizeof(FSOffset) * reply.num_chars); + offs = FSmallocarray(reply.num_chars, sizeof(FSOffset)); *offsets = offs; if (!offs) return FSBadAlloc; @@ -160,7 +160,7 @@ FSQueryXBitmaps16( if (str_len > SIZE_MAX/SIZEOF(fsChar2b_version1)) return FSBadAlloc; - swapped_str = FSmalloc(SIZEOF(fsChar2b_version1) * str_len); + swapped_str = FSmallocarray(str_len, SIZEOF(fsChar2b_version1)); if (!swapped_str) return FSBadAlloc; for (unsigned long i = 0; i < str_len; i++) { @@ -182,7 +182,7 @@ FSQueryXBitmaps16( if(reply.num_chars > SIZE_MAX/sizeof(FSOffset)) return FSBadAlloc; #endif - offs = FSmalloc(sizeof(FSOffset) * reply.num_chars); + offs = FSmallocarray(reply.num_chars, sizeof(FSOffset)); *offsets = offs; if (!offs) return FSBadAlloc; diff --git a/src/FSQXExt.c b/src/FSQXExt.c index 1469636..65f35b1 100644 --- a/src/FSQXExt.c +++ b/src/FSQXExt.c @@ -100,7 +100,7 @@ FSQueryXExtents8( return FSBadAlloc; #endif - ext = FSmalloc(sizeof(FSXCharInfo) * reply.num_extents); + ext = FSmallocarray(reply.num_extents, sizeof(FSXCharInfo)); *extents = ext; if (!ext) return FSBadAlloc; @@ -141,7 +141,7 @@ FSQueryXExtents16( { fsChar2b_version1 *swapped_str; - swapped_str = FSmalloc(SIZEOF(fsChar2b_version1) * str_len); + swapped_str = FSmallocarray(str_len, SIZEOF(fsChar2b_version1)); if (!swapped_str) return FSBadAlloc; for (unsigned long i = 0; i < str_len; i++) { @@ -164,7 +164,7 @@ FSQueryXExtents16( return FSBadAlloc; #endif - ext = FSmalloc(sizeof(FSXCharInfo) * reply.num_extents); + ext = FSmallocarray(reply.num_extents, sizeof(FSXCharInfo)); *extents = ext; if (!ext) return FSBadAlloc; diff --git a/src/FSQXInfo.c b/src/FSQXInfo.c index de776ce..f497a09 100644 --- a/src/FSQXInfo.c +++ b/src/FSQXInfo.c @@ -97,7 +97,7 @@ FSQueryXInfo( #endif /* prepare for prop data */ - offset_data = FSmalloc(props->num_offsets * sizeof(FSPropOffset)); + offset_data = FSmallocarray(props->num_offsets, sizeof(FSPropOffset)); if (!offset_data) return FSBadAlloc; pdata = FSmalloc(props->data_len); -- GitLab