Bug 239688

Summary: [patch] geom: uzip: Use mallocarray to prevent potential integer overflow
Product: Base System Reporter: Chuhong Yuan <hslester96>
Component: kernAssignee: freebsd-bugs mailing list <bugs>
Status: Closed Not A Bug    
Severity: Affects Some People CC: delphij, ota
Priority: ---    
Version: CURRENT   
Hardware: Any   
OS: Any   
Attachments:
Description Flags
g_uzip_zlib patch none

Description Chuhong Yuan 2019-08-07 07:26:47 UTC
Created attachment 206322 [details]
g_uzip_zlib patch

The implementation of z_alloc() in g_uzip_zlib.c uses malloc() to allocate resources without any check for the size.
This may lead to integer overflow.
It is better to use mallocarray() here to prevent such risk.
Comment 1 Conrad Meyer freebsd_committer 2019-08-07 16:17:02 UTC
z_alloc is used exclusively for zlib zstream's zalloc() pointer.  zlib does not make u_int overflowing allocation calls.  zlib inflate allocates about 44 kB per stream, max: https://www.zlib.net/zlib_tech.html .
Comment 2 ota 2019-08-12 09:09:56 UTC
I think both of comments have a point.

Nevertheless, when delphij and I updated ZLIB, we switched to use mallocarray() and also dropped this private implementation.

References: https://reviews.freebsd.org/D21156 and https://reviews.freebsd.org/D20271