diff --git a/binr/rabin2/rabin2.c b/binr/rabin2/rabin2.c index 9c9a0908c2..7246684f4f 100644 --- a/binr/rabin2/rabin2.c +++ b/binr/rabin2/rabin2.c @@ -259,6 +259,7 @@ static int rabin_dump_sections(char *scnname) { RBinSection *section; ut8 *buf; char *ret; + int r; if ((sections = r_bin_get_sections (bin)) == NULL) return false; @@ -267,11 +268,27 @@ static int rabin_dump_sections(char *scnname) { if (!strcmp (scnname, section->name)) { if (!(buf = malloc (section->size))) return false; + if ((section->size * 2) + 1 < section->size) { + free (buf); + return false; + } if (!(ret = malloc (section->size*2+1))) { free (buf); return false; } - r_buf_read_at (bin->cur->buf, section->paddr, buf, section->size); + if (section->paddr > bin->cur->buf->length || + section->paddr + section->size > bin->cur->buf->length) { + free (buf); + free (ret); + return false; + } + r = r_buf_read_at (bin->cur->buf, section->paddr, + buf, section->size); + if (r < 1) { + free (buf); + free (ret); + return false; + } if (output) { r_file_dump (output, buf, section->size, 0); } else { diff --git a/libr/asm/arch/8051/8051.c b/libr/asm/arch/8051/8051.c index 24d7d985c3..f05857c2df 100644 --- a/libr/asm/arch/8051/8051.c +++ b/libr/asm/arch/8051/8051.c @@ -167,19 +167,24 @@ r_8051_op r_8051_decode(const ut8 *buf, int len) { static char *strdup_filter (const char *str, const ut8 *buf) { char *o; int i, j, len; - if (!str) - return NULL; + if (!str) return NULL; len = strlen (str); - o = malloc (1+len*4); - for (i=j=0; i='0' && n<='9') { n -= '0'; i++; j += sprintf (o+j, "0x%02x", buf[n]); - } else eprintf ("strdup_filter: Internal bug\n"); - } else o[j++] = str[i]; + } else { + eprintf ("strdup_filter: Internal bug\n"); + } + } else { + o[j++] = str[i]; + } } o[j] = 0; return o; diff --git a/libr/cons/dietline.c b/libr/cons/dietline.c index 8e0b1cbdeb..68afadc051 100644 --- a/libr/cons/dietline.c +++ b/libr/cons/dietline.c @@ -44,11 +44,13 @@ static inline int is_valid_char (unsigned char ch) { static int inithist() { ZERO_FILL (I.history); - I.history.data = (char **)malloc ((I.history.size+1024)*sizeof(char *)); - if (I.history.data==NULL) + if ((I.history.size + 1024) * sizeof(char *) < I.history.size) + return false; + I.history.data = (char **)malloc ((I.history.size + 1024) * sizeof(char *)); + if (!I.history.data) return false; I.history.size = R_LINE_HISTSIZE; - memset (I.history.data, 0, I.history.size*sizeof(char *)); + memset (I.history.data, 0, I.history.size * sizeof(char *)); return true; } @@ -352,7 +354,7 @@ R_API void r_line_autocomplete() { p++; plen = sizeof (I.buffer.data)-(int)(size_t)(p-I.buffer.data); } else { - p = I.buffer.data; // XXX: removes current buffer + p = I.buffer.data; // XXX: removes current buffer plen = sizeof (I.buffer.data); } /* autocomplete */ @@ -816,9 +818,9 @@ R_API const char *r_line_readline_cb(RLineReadCallback cb, void *user) { I.buffer.index = I.buffer.length = 0; I.buffer.data[0] = '\0'; if (I.contents) { - memmove (I.buffer.data, I.contents, + memmove (I.buffer.data, I.contents, R_MIN (strlen (I.contents)+1, R_LINE_BUFSIZE-1)); - I.buffer.data[R_LINE_BUFSIZE-1] = '\0'; + I.buffer.data[R_LINE_BUFSIZE-1] = '\0'; I.buffer.index = I.buffer.length = strlen (I.contents); } if (I.disable) { @@ -909,7 +911,7 @@ R_API const char *r_line_readline_cb(RLineReadCallback cb, void *user) { I.buffer.data[I.buffer.length] = 0; // probably unnecessary tmp_ed_cmd = I.editor_cb (I.user, I.buffer.data); if (tmp_ed_cmd) { - /* copied from yank (case 25) */ + /* copied from yank (case 25) */ I.buffer.length = strlen (tmp_ed_cmd); if (I.buffer.length < R_LINE_BUFSIZE) { I.buffer.index = I.buffer.length; @@ -918,9 +920,9 @@ R_API const char *r_line_readline_cb(RLineReadCallback cb, void *user) { } else I.buffer.length -= strlen (tmp_ed_cmd); free (tmp_ed_cmd); } - } else I.buffer.index = I.buffer.length; + } else I.buffer.index = I.buffer.length; break; - case 3: // ^C + case 3: // ^C if (I.echo) eprintf ("^C\n"); I.buffer.index = I.buffer.length = 0; diff --git a/libr/cons/less.c b/libr/cons/less.c index 4df12ee131..2d33afbcba 100644 --- a/libr/cons/less.c +++ b/libr/cons/less.c @@ -60,18 +60,32 @@ static void printpage (const char *line, int *index, RList **mla, static int *splitlines (char *s, int *lines_count) { int lines_size = 128; - int *lines = malloc (lines_size*sizeof(int)); + int *lines = NULL; int i, row = 0; int sidx = 0; + + if (lines_size * sizeof(int) < lines_size) return NULL; + lines = malloc (lines_size * sizeof(int)); + if (!lines) return NULL; lines[row++] = 0; - for (i=0; s[i]; i++) { - if (row>=lines_size) { + for (i = 0; s[i]; i++) { + if (row >= lines_size) { + int *tmp; lines_size += 128; - lines = realloc (lines, lines_size*sizeof(int)); + if (lines_size * sizeof(int) < lines_size) { + free (lines); + return NULL; + } + tmp = realloc (lines, lines_size * sizeof(int)); + if (!tmp) { + free (lines); + return NULL; + } + lines = tmp; } - if (s[i]=='\n') { + if (s[i] == '\n') { s[i] = 0; - lines[row++] = i+1; + lines[row++] = i + 1; } sidx++; } diff --git a/libr/core/core.c b/libr/core/core.c index 1c3f7270a5..d7d60ee70b 100644 --- a/libr/core/core.c +++ b/libr/core/core.c @@ -1184,7 +1184,12 @@ R_API int r_core_init(RCore *core) { core->flags = r_flag_new (); core->graph = r_agraph_new (r_cons_canvas_new (1, 1)); core->asmqjmps_size = R_CORE_ASMQJMPS_NUM; - core->asmqjmps = R_NEWS (ut64, core->asmqjmps_size); + if (sizeof(ut64) * core->asmqjmps_size < core->asmqjmps_size) { + core->asmqjmps_size = 0; + core->asmqjmps = NULL; + } else { + core->asmqjmps = R_NEWS (ut64, core->asmqjmps_size); + } r_bin_bind (core->bin, &(core->assembler->binb)); r_bin_bind (core->bin, &(core->anal->binb)); diff --git a/libr/core/graph.c b/libr/core/graph.c index e1a1cfe371..cc2c524747 100644 --- a/libr/core/graph.c +++ b/libr/core/graph.c @@ -541,12 +541,17 @@ static void create_layers (RAGraph *g) { /* create a starting ordering of nodes for each layer */ g->n_layers++; + if (sizeof (struct layer_t) * g->n_layers < g->n_layers) return; g->layers = R_NEWS0 (struct layer_t, g->n_layers); graph_foreach_anode (nodes, it, gn, n) g->layers[n->layer].n_nodes++; for (i = 0; i < g->n_layers; ++i) { + if (sizeof(RGraphNode*) * g->layers[i].n_nodes < g->layers[i].n_nodes) { + //FIXME how to handle properly this error ret2libc? + continue; + } g->layers[i].nodes = R_NEWS (RGraphNode *, g->layers[i].n_nodes); g->layers[i].position = 0; } diff --git a/libr/core/hack.c b/libr/core/hack.c index 87e173039f..8f2c4303f3 100644 --- a/libr/core/hack.c +++ b/libr/core/hack.c @@ -139,10 +139,12 @@ R_API int r_core_hack_x86(RCore *core, const char *op, const RAnalOp *analop) { const ut8 *b = core->block; const int size = analop->size; if (!strcmp (op, "nop")) { - char* str = malloc (size*2 + 1); + if (size * 2 + 1 < size) return false; + char *str = malloc (size * 2 + 1); + if (!str) return false; int i; - for (i=0;i 0) { - digest_hex = malloc ((digest_size * 2) + 1); - for (i = 0; i < digest_size; i++) - sprintf (digest_hex + (i * 2), "%02x", ctx->digest[i]); - digest_hex[digest_size * 2] = 0; + if (digest_size * 2 < digest_size) { + digest_hex = NULL; + } else { + digest_hex = malloc ((digest_size * 2) + 1); + for (i = 0; i < digest_size; i++) + sprintf (digest_hex + (i * 2), "%02x", ctx->digest[i]); + digest_hex[digest_size * 2] = 0; + } } if (myctx) { r_hash_free (myctx); diff --git a/libr/include/r_flist.h b/libr/include/r_flist.h index da636d2dae..a2ccf15a28 100644 --- a/libr/include/r_flist.h +++ b/libr/include/r_flist.h @@ -37,7 +37,8 @@ static inline void **r_flist_init(void **it, int n) { static inline void **r_flist_new(int n) { void **it; - if (!(it = (void **)malloc ((n+2) * sizeof (void*)))) + if (((n + 2) * sizeof(void*)) < sizeof(void*)) return NULL; + if (!(it = (void **)malloc ((n + 2) * sizeof (void*)))) return NULL; return r_flist_init (it, n); } diff --git a/libr/io/p/io_r2web.c b/libr/io/p/io_r2web.c index dc5283ec38..2437b3efda 100644 --- a/libr/io/p/io_r2web.c +++ b/libr/io/p/io_r2web.c @@ -19,8 +19,9 @@ static int __write(RIO *io, RIODesc *fd, const ut8 *buf, int count) { char *out, *url, *hexbuf; if (fd == NULL || fd->data == NULL) return -1; - + if (count * 3 < count) return -1; hexbuf = malloc (count * 3); + if (!hexbuf) return -1; hexbuf[0] = 0; r_hex_bin2str (buf, count, hexbuf); url = r_str_newf ("%s/wx%%20%s@%"PFMT64d, diff --git a/libr/util/base64.c b/libr/util/base64.c index 146a36c91a..4820631e9c 100644 --- a/libr/util/base64.c +++ b/libr/util/base64.c @@ -77,15 +77,16 @@ R_API int r_base64_encode(char *bout, const ut8 *bin, int len) { } R_API char *r_base64_encode_dyn(const char *str, int len) { - char *bout; + char *bout, *tmp; int in, out; if (!str) return NULL; - if (len<0) len = strlen (str); - bout = (char *)malloc ((len * 4)+1); + if (len < 0) len = strlen (str); + if ((len * 4) + 2 < len) return NULL; + bout = (char *)malloc ((len * 4) + 2); if (!bout) return NULL; - for (in=out=0; in3?3:len-in); + for (in = out = 0; in < len; in += 3, out += 4) + b64_encode ((const ut8*)str + in, (char*)bout + out, + (len - in) > 3 ? 3 : len - in); bout[out] = 0; - return realloc (bout, out+1); + return bout; } diff --git a/libr/util/hex.c b/libr/util/hex.c index b650e5fc61..598ce23ea2 100644 --- a/libr/util/hex.c +++ b/libr/util/hex.c @@ -164,8 +164,12 @@ R_API int r_hex_bin2str(const ut8 *in, int len, char *out) { R_API char *r_hex_bin2strdup(const ut8 *in, int len) { int i, idx; - char tmp[5], *out = malloc ((len+1)*2); - for (i=idx=0; ioffp = string; m->beginp = start; m->endp = stop; + + if (m->g->nstates * 4 < m->g->nstates) + return R_REGEX_NOMATCH; STATESETUP(m, 4); SETUP(m->st); SETUP(m->fresh); @@ -202,9 +205,13 @@ matcher(struct re_guts *g, char *string, size_t nmatch, RRegexMatch pmatch[], break; /* no further info needed */ /* oh my, he wants the subexpressions... */ - if (m->pmatch == NULL) + if (m->pmatch == NULL) { + if ((m->g->nsub + 1) * sizeof(RRegexMatch) < m->g->nsub) { + return R_REGEX_ESPACE; + } m->pmatch = (RRegexMatch *)malloc((m->g->nsub + 1) * sizeof(RRegexMatch)); + } if (m->pmatch == NULL) { STATETEARDOWN(m); return(R_REGEX_ESPACE); @@ -216,6 +223,11 @@ matcher(struct re_guts *g, char *string, size_t nmatch, RRegexMatch pmatch[], dp = dissect(m, m->coldp, endp, gf, gl); } else { if (g->nplus > 0 && m->lastpos == NULL) + if ((g->nplus + 1) * sizeof(char *) < g->nplus) { + free (m->pmatch); + STATETEARDOWN(m); + return R_REGEX_ESPACE; + } m->lastpos = (char **)malloc((g->nplus+1) * sizeof(char *)); if (g->nplus > 0 && m->lastpos == NULL) { @@ -968,7 +980,7 @@ print(struct match *m, char *caption, states st, int ch, FILE *d) (void)fprintf(d, "\n"); } -/* +/* - at - print current situation */ static void diff --git a/libr/util/slist.c b/libr/util/slist.c index fc1bec2e3e..ded1c3cef1 100644 --- a/libr/util/slist.c +++ b/libr/util/slist.c @@ -118,7 +118,11 @@ R_API void r_slist_optimize (RSList *s) { s->min = min; s->max = max; s->mod = ((max-min)); - s->items = malloc (1+ (sizeof (void*) * s->nitems)); + if (s->nitems * sizeof(void*) < s->nitems) { + s->items = NULL; + } else { + s->items = malloc (1 + (sizeof (void*) * s->nitems)); + } //eprintf ("MOD %d (block size)\n", s->mod); // store integers as indexes inside the allocated heap @@ -156,7 +160,7 @@ OUTPUT #if 0 typedef struct { - + } SListStore; typedef struct { IntArray news; @@ -170,9 +174,9 @@ typedef struct { -+- QueueList # new additions are here `- idxlist |_ --- RangeCmp # user provided comparator function ---- IndexList # +--- IndexList # --- Storage # Heap Array storing all elements - | We always use + | We always use --- StoreList # Heap Array of integers pointing to storage | we can probably just store a list of removed | items and the length diff --git a/libr/util/str.c b/libr/util/str.c index 0ca24fb779..a415799864 100644 --- a/libr/util/str.c +++ b/libr/util/str.c @@ -1528,13 +1528,14 @@ R_API char *r_str_uri_encode (const char *s) { R_API char *r_str_utf16_encode (const char *s, int len) { int i; - char ch[4], *d, *od; + char ch[4], *d, *od, *tmp; if (!s) return NULL; - if (len<0) len = strlen (s); - od = d = malloc (1+(len*7)); + if (len < 0) len = strlen (s); + if ((len * 7) + 1 < len) return NULL; + od = d = malloc (1 + (len * 7)); if (!d) return NULL; - for (i=0; i=0x20) && (*s<=126)) { + for (i = 0; i < len; s++, i++) { + if ((*s >= 0x20) && (*s <= 126)) { *d++ = *s; } else { *d++ = '\\'; @@ -1548,7 +1549,12 @@ R_API char *r_str_utf16_encode (const char *s, int len) { } } *d = 0; - return realloc (od, strlen (od)+1); // FIT + tmp = realloc (od, strlen (od)+1); // FIT + if (!tmp) { + free (od); + return NULL; + } + return tmp; } // TODO: merge print inside rutil