From 6b64b344156ef85877e8eefbcda381ac503c3cce Mon Sep 17 00:00:00 2001
From: deraadt <>
Date: Wed, 8 Oct 2014 05:33:31 +0000
Subject: using reallocarray() gives us multiplicative integer overflow
 checking in case something wants to create massive amounts of environment,
 like a bit more than 1/4 of a 32-bit address space.  unrealistic -- but why
 audit one code path, and not treat others the same?  then you have to
 re-engage everytime you see the code.  read the news, that isn't what
 developers do.  At least if the code paths look the same, there is hope,
 because they are easier to verify for correctness.  developers need to give
 other developers a chance to want to care.

---
 src/lib/libc/stdlib/setenv.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

(limited to 'src/lib/libc/stdlib/setenv.c')

diff --git a/src/lib/libc/stdlib/setenv.c b/src/lib/libc/stdlib/setenv.c
index 9060fdba88..10b55445f7 100644
--- a/src/lib/libc/stdlib/setenv.c
+++ b/src/lib/libc/stdlib/setenv.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: setenv.c,v 1.14 2012/09/23 16:08:04 jeremy Exp $ */
+/*	$OpenBSD: setenv.c,v 1.15 2014/10/08 05:33:31 deraadt Exp $ */
 /*
  * Copyright (c) 1987 Regents of the University of California.
  * All rights reserved.
@@ -71,7 +71,7 @@ putenv(char *str)
 	for (P = environ; *P != NULL; P++)
 		;
 	cnt = P - environ;
-	P = (char **)realloc(lastenv, sizeof(char *) * (cnt + 2));
+	P = reallocarray(lastenv, cnt + 2, sizeof(char *));
 	if (!P)
 		return (-1);
 	if (lastenv != environ)
@@ -129,7 +129,7 @@ setenv(const char *name, const char *value, int rewrite)
 		for (P = environ; *P != NULL; P++)
 			;
 		cnt = P - environ;
-		P = (char **)realloc(lastenv, sizeof(char *) * (cnt + 2));
+		P = reallocarray(lastenv, cnt + 2, sizeof(char *));
 		if (!P)
 			return (-1);
 		if (lastenv != environ)
-- 
cgit v1.2.3-55-g6feb