RPM Community Forums

Mailing List Message of <popt-devel>

latest from cvs: NULL-deref upon realloc failure

From: Jim Meyering <jim@meyering.net>
Date: Wed 20 May 2009 - 12:16:00 CEST
Message-ID: <87k54cm65b.fsf@meyering.net>
Most heap allocation functions are checked
for NULL return values, but a few are not:

./poptconfig.c:     b = realloc(b, (nb + nse));
./poptconfig.c-     (void) stpcpy( stpcpy(&b[nb-1], " "), se);

./popt.c:               t = realloc(t, tn);
./popt.c-               te = stpcpy(t + pos, a);

If either of those realloc calls fails, the next line
dereferences a NULL pointer.

Also, any use of realloc like those above introduces
a leak whenever realloc fails.

Instead, when realloc fails, the code should ensure
that the original value of the pointer (b or t above)
can still be freed.
Received on Wed May 20 12:16:22 2009
Driven by Jeff Johnson and the RPM project team.
Hosted by OpenPKG and Ralf S. Engelschall.
Powered by FreeBSD and OpenPKG.