diff options
| author | Jim Meyering <meyering@redhat.com> | 2009-07-02 15:39:08 +0200 |
|---|---|---|
| committer | Jim Meyering <meyering@redhat.com> | 2009-07-03 00:14:52 +0200 |
| commit | 447dae7df43e8a98da59d94f1aef9895e087aa13 (patch) | |
| tree | ae5285a58c6297b5f2c90fc0758da9983073fe4b /src/guestfs.c | |
| parent | d0bdef850e7bf0edc1a8ee1f05880cdf867aeeb6 (diff) | |
| download | libguestfs-447dae7df43e8a98da59d94f1aef9895e087aa13.tar.gz libguestfs-447dae7df43e8a98da59d94f1aef9895e087aa13.tar.xz libguestfs-447dae7df43e8a98da59d94f1aef9895e087aa13.zip | |
use safe_malloc and safe_calloc in generated code
* src/generator.ml (safe_malloc): Define to guestfs_safe_malloc.
(safe_calloc): Define to guestfs_safe_calloc.
[most generated code]: Fail immediately upon failure of otherwise-
unchecked malloc and calloc calls.
* src/guestfs.c: Include <stddef.h>.
(xalloc_oversized): Define.
* src/guestfs.h (guestfs_safe_calloc): Declare.
Diffstat (limited to 'src/guestfs.c')
| -rw-r--r-- | src/guestfs.c | 39 |
1 files changed, 38 insertions, 1 deletions
diff --git a/src/guestfs.c b/src/guestfs.c index c3bce0b8..350d8481 100644 --- a/src/guestfs.c +++ b/src/guestfs.c @@ -1,5 +1,5 @@ /* libguestfs - * Copyright (C) 2009 Red Hat Inc. + * Copyright (C) 2009 Red Hat Inc. * * This library is free software; you can redistribute it and/or * modify it under the terms of the GNU Lesser General Public @@ -24,6 +24,7 @@ #include <stdio.h> #include <stdlib.h> #include <stdarg.h> +#include <stddef.h> #include <unistd.h> #include <ctype.h> #include <string.h> @@ -453,6 +454,42 @@ guestfs_safe_malloc (guestfs_h *g, size_t nbytes) return ptr; } +/* Return 1 if an array of N objects, each of size S, cannot exist due + to size arithmetic overflow. S must be positive and N must be + nonnegative. This is a macro, not an inline function, so that it + works correctly even when SIZE_MAX < N. + + By gnulib convention, SIZE_MAX represents overflow in size + calculations, so the conservative dividend to use here is + SIZE_MAX - 1, since SIZE_MAX might represent an overflowed value. + However, malloc (SIZE_MAX) fails on all known hosts where + sizeof (ptrdiff_t) <= sizeof (size_t), so do not bother to test for + exactly-SIZE_MAX allocations on such hosts; this avoids a test and + branch when S is known to be 1. */ +# define xalloc_oversized(n, s) \ + ((size_t) (sizeof (ptrdiff_t) <= sizeof (size_t) ? -1 : -2) / (s) < (n)) + +/* Technically we should add an autoconf test for this, testing for the desired + functionality, like what's done in gnulib, but for now, this is fine. */ +#define HAVE_GNU_CALLOC (__GLIBC__ >= 2) + +/* Allocate zeroed memory for N elements of S bytes, with error + checking. S must be nonzero. */ +void * +guestfs_safe_calloc (guestfs_h *g, size_t n, size_t s) +{ + /* From gnulib's calloc function in xmalloc.c. */ + void *p; + /* Test for overflow, since some calloc implementations don't have + proper overflow checks. But omit overflow and size-zero tests if + HAVE_GNU_CALLOC, since GNU calloc catches overflow and never + returns NULL if successful. */ + if ((! HAVE_GNU_CALLOC && xalloc_oversized (n, s)) + || (! (p = calloc (n, s)) && (HAVE_GNU_CALLOC || n != 0))) + g->abort_cb (); + return p; +} + void * guestfs_safe_realloc (guestfs_h *g, void *ptr, int nbytes) { |