Bug 239688 - [patch] geom: uzip: Use mallocarray to prevent potential integer overflow
Summary: [patch] geom: uzip: Use mallocarray to prevent potential integer overflow
Status: Closed Not A Bug
Alias: None
Product: Base System
Classification: Unclassified
Component: kern (show other bugs)
Version: CURRENT
Hardware: Any Any
: --- Affects Some People
Assignee: freebsd-bugs mailing list
Depends on:
Reported: 2019-08-07 07:26 UTC by Chuhong Yuan
Modified: 2019-08-12 09:09 UTC (History)
2 users (show)

See Also:

g_uzip_zlib patch (471 bytes, patch)
2019-08-07 07:26 UTC, Chuhong Yuan
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Chuhong Yuan 2019-08-07 07:26:47 UTC
Created attachment 206322 [details]
g_uzip_zlib patch

The implementation of z_alloc() in g_uzip_zlib.c uses malloc() to allocate resources without any check for the size.
This may lead to integer overflow.
It is better to use mallocarray() here to prevent such risk.
Comment 1 Conrad Meyer freebsd_committer 2019-08-07 16:17:02 UTC
z_alloc is used exclusively for zlib zstream's zalloc() pointer.  zlib does not make u_int overflowing allocation calls.  zlib inflate allocates about 44 kB per stream, max: https://www.zlib.net/zlib_tech.html .
Comment 2 ota 2019-08-12 09:09:56 UTC
I think both of comments have a point.

Nevertheless, when delphij and I updated ZLIB, we switched to use mallocarray() and also dropped this private implementation.

References: https://reviews.freebsd.org/D21156 and https://reviews.freebsd.org/D20271