* cc_file.c (ALLOC): Use calloc, not malloc.

(krb5_fcc_read_principal): Check bounds on number of components before calling
ALLOC.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@14724 dc483132-0cff-0310-8789-dd5450dbe970

2 files changed, 15 insertions, 2 deletions

diff --git a/src/lib/krb5/ccache/ChangeLog b/src/lib/krb5/ccache/ChangeLog
index d22d300da..80424fdcc 100644
--- a/src/lib/krb5/ccache/ChangeLog
+++ b/src/lib/krb5/ccache/ChangeLog
@@ -1,3 +1,9 @@
+2002-08-15  Ken Raeburn  <raeburn@mit.edu>
+
+	* cc_file.c (ALLOC): Use calloc, not malloc.
+	(krb5_fcc_read_principal): Check bounds on number of components
+	before calling ALLOC.
+
 2002-08-15  Tom Yu  <tlyu@mit.edu>
 
 	* t_cc.c: Remove references to STDIO ccache.
diff --git a/src/lib/krb5/ccache/cc_file.c b/src/lib/krb5/ccache/cc_file.c
index f93ab93ed..a46e83f0c 100644
--- a/src/lib/krb5/ccache/cc_file.c
+++ b/src/lib/krb5/ccache/cc_file.c
@@ -398,7 +398,7 @@ krb5_fcc_read(context, id, buf, len)
 
 #define ALLOC(NUM,TYPE) \
     (((NUM) <= (((size_t)0-1)/ sizeof(TYPE)))		\
-     ? (TYPE *) malloc((NUM) * sizeof(TYPE))		\
+     ? (TYPE *) calloc((NUM), sizeof(TYPE))		\
      : (errno = ENOMEM,(TYPE *) 0))
 
 static krb5_error_code
@@ -433,12 +433,19 @@ krb5_fcc_read_principal(context, id, princ)
      */
     if (data->version == KRB5_FCC_FVNO_1)
 	length--;
+    if (length < 0)
+	return KRB5_CC_NOMEM;
 
     tmpprinc = (krb5_principal) malloc(sizeof(krb5_principal_data));
     if (tmpprinc == NULL)
 	return KRB5_CC_NOMEM;
     if (length) {
-	tmpprinc->data = ALLOC (length, krb5_data);
+	size_t msize = length;
+	if (msize != length) {
+	    free(tmpprinc);
+	    return KRB5_CC_NOMEM;
+	}
+	tmpprinc->data = ALLOC (msize, krb5_data);
 	if (tmpprinc->data == 0) {
 	    free((char *)tmpprinc);
 	    return KRB5_CC_NOMEM;