Fix 0 size malloc, part 2

2014-04-30 22:40:43 +09:00 · 2014-04-30 22:40:43 +09:00 · 52b74144ee
parent 1b79114d2d
commit 52b74144ee
3 changed files with 54 additions and 14 deletions
--- a/lib/nghttp2_frame.c
+++ b/lib/nghttp2_frame.c
@ -515,11 +515,18 @@ int nghttp2_frame_unpack_settings_payload(nghttp2_settings *frame,
 {
  size_t payloadlen = niv * sizeof(nghttp2_settings_entry);

-  frame->iv = malloc(payloadlen);
-  if(frame->iv == NULL) {
-    return NGHTTP2_ERR_NOMEM;
+  if(niv == 0) {
+    frame->iv = NULL;
+  } else {
+    frame->iv = malloc(payloadlen);
+
+    if(frame->iv == NULL) {
+      return NGHTTP2_ERR_NOMEM;
+    }
+
+    memcpy(frame->iv, iv, payloadlen);
  }
-  memcpy(frame->iv, iv, payloadlen);
+
  frame->niv = niv;
  return 0;
 }
@ -537,15 +544,27 @@ int nghttp2_frame_unpack_settings_payload2(nghttp2_settings_entry **iv_ptr,
                                           size_t payloadlen)
 {
  size_t i;
+
  *niv_ptr = payloadlen / NGHTTP2_FRAME_SETTINGS_ENTRY_LENGTH;
+
+  if(*niv_ptr == 0) {
+    *iv_ptr = NULL;
+
+    return 0;
+  }
+
+
  *iv_ptr = malloc((*niv_ptr)*sizeof(nghttp2_settings_entry));
+
  if(*iv_ptr == NULL) {
    return NGHTTP2_ERR_NOMEM;
  }
+
  for(i = 0; i < *niv_ptr; ++i) {
    size_t off = i * NGHTTP2_FRAME_SETTINGS_ENTRY_LENGTH;
    nghttp2_frame_unpack_settings_entry(&(*iv_ptr)[i], &payload[off]);
  }
+
  return 0;
 }

@ -829,11 +848,19 @@ nghttp2_settings_entry* nghttp2_frame_iv_copy(const nghttp2_settings_entry *iv,
 {
  nghttp2_settings_entry *iv_copy;
  size_t len = niv*sizeof(nghttp2_settings_entry);
+
+  if(len == 0) {
+    return NULL;
+  }
+
  iv_copy = malloc(len);
+
  if(iv_copy == NULL) {
    return NULL;
  }
+
  memcpy(iv_copy, iv, len);
+
  return iv_copy;
 }

--- a/lib/nghttp2_helper.c
+++ b/lib/nghttp2_helper.c
@ -74,7 +74,13 @@ int nghttp2_reserve_buffer(uint8_t **buf_ptr, size_t *buflen_ptr,

 void* nghttp2_memdup(const void* src, size_t n)
 {
-  void* dest = malloc(n);
+  void* dest;
+
+  if(n == 0) {
+    return NULL;
+  }
+
+  dest = malloc(n);
  if(dest == NULL) {
    return NULL;
  }
--- a/lib/nghttp2_session.c
+++ b/lib/nghttp2_session.c
@ -4814,14 +4814,16 @@ ssize_t nghttp2_session_mem_recv(nghttp2_session *session,

        varlen = iframe->frame.hd.length - 8;

-        iframe->raw_lbuf = malloc(varlen);
+        if(varlen > 0) {
+          iframe->raw_lbuf = malloc(varlen);

-        if(iframe->raw_lbuf == NULL) {
-          return NGHTTP2_ERR_NOMEM;
+          if(iframe->raw_lbuf == NULL) {
+            return NGHTTP2_ERR_NOMEM;
+          }
+
+          nghttp2_buf_wrap_init(&iframe->lbuf, iframe->raw_lbuf, varlen);
        }

-        nghttp2_buf_wrap_init(&iframe->lbuf, iframe->raw_lbuf, varlen);
-
        busy = 1;

        iframe->state = NGHTTP2_IB_READ_ALTSVC;
@ -5528,10 +5530,15 @@ int nghttp2_session_add_settings(nghttp2_session *session, uint8_t flags,
  if(frame == NULL) {
    return NGHTTP2_ERR_NOMEM;
  }
-  iv_copy = nghttp2_frame_iv_copy(iv, niv);
-  if(iv_copy == NULL) {
-    free(frame);
-    return NGHTTP2_ERR_NOMEM;
+
+  if(niv > 0) {
+    iv_copy = nghttp2_frame_iv_copy(iv, niv);
+    if(iv_copy == NULL) {
+      free(frame);
+      return NGHTTP2_ERR_NOMEM;
+    }
+  } else {
+    iv_copy = NULL;
  }

  if((flags & NGHTTP2_FLAG_ACK) == 0) {