Bug 16304 - Missing Sanity Checks in R-3.1.x for various library function calls...
Summary: Missing Sanity Checks in R-3.1.x for various library function calls...
Status: NEW
Alias: None
Product: R
Classification: Unclassified
Component: Misc (show other bugs)
Version: R 3.1.2
Hardware: All All
: P5 normal
Assignee: R-core
URL:
Depends on:
Blocks:
 
Reported: 2015-04-07 17:29 UTC by Bill Parker
Modified: 2015-04-07 17:34 UTC (History)
0 users

See Also:


Attachments
patch file for this bug report (401 bytes, patch)
2015-04-07 17:29 UTC, Bill Parker
Details | Diff
patch file for this bug report (320 bytes, patch)
2015-04-07 17:30 UTC, Bill Parker
Details | Diff
patch file for this bug report (987 bytes, patch)
2015-04-07 17:31 UTC, Bill Parker
Details | Diff
patch file for this bug report (403 bytes, patch)
2015-04-07 17:32 UTC, Bill Parker
Details | Diff
patch file for this bug report (621 bytes, patch)
2015-04-07 17:32 UTC, Bill Parker
Details | Diff
patch file for this bug report (414 bytes, patch)
2015-04-07 17:33 UTC, Bill Parker
Details | Diff
patch file for this bug report (392 bytes, patch)
2015-04-07 17:34 UTC, Bill Parker
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Bill Parker 2015-04-07 17:29:08 UTC
Created attachment 1783 [details]
patch file for this bug report

Hello All,

   In directory '/src/main', file 'serialize.c', there is a 
call to 'fseek()' which is not checked for a non-zero return
value, indicating failure.  The patch file below corrects this
issue:

--- serialize.c.orig    2015-04-06 16:12:54.278936941 -0700
+++ serialize.c 2015-04-06 16:14:57.891647481 -0700
@@ -2570,7 +2570,11 @@
        error( _("cannot open file '%s': %s"), CHAR(STRING_ELT(file, 0)),
               strerror(errno));
     }
-    fseek(fp, 0, SEEK_END);
+    if (fseek(fp, 0, SEEK_END) != 0) {
+       fclose(fp);
+       error(_("seek failed on %s"), file);
+    }
+
 #endif
 
     len = LENGTH(bytes);
	 
In directory 'src/modules/X11', file 'dataentry.c', there is a call
to malloc() which is not checked for a return value of NULL,
indicating failure.  The patch file below corrects this issue:

--- dataentry.c.orig    2015-04-06 16:24:27.517043940 -0700
+++ dataentry.c 2015-04-06 16:25:41.234413039 -0700
@@ -464,6 +464,8 @@
     int i, nprotect;
     RCNTXT cntxt;
     DEstruct DE = (DEstruct) malloc(sizeof(destruct));
+    if (!DE)
+       errorcall(call, "Unable to allocate memory for struct DE");
 
     nView++;
	 
In directory 'src/modules/X11', file 'devX11.c', there are instances
where malloc() is called without a check made for a return value of
NULL, indicating failure.  The patch file below corrects this issue:

--- devX11.c.orig       2015-04-06 16:35:56.337589489 -0700
+++ devX11.c    2015-04-06 16:39:52.879652769 -0700
@@ -295,6 +295,10 @@
 static void addBuffering(pX11Desc xd)
 {
     Xdl xdln = (Xdl) malloc(sizeof(struct xd_list));
+    if (!xdln) {
+       error(_("Unable to allocate memory for addBuffer..."));
+       return;
+    }
     xdln->this = xd;
     xdln->next = xdl->next;
     xdl->next = xdln;
@@ -874,6 +878,10 @@
 {
     R_XFont *tmp;
     tmp = (R_XFont *) malloc(sizeof(R_XFont));
+    if (!tmp) {
+       error(_("Unable to allocate memory for LoadQueryFont"));
+       return;
+    }
     tmp->type = One_Font;
     tmp->font = XLoadQueryFont(display, name);
     if(tmp->font)
@@ -899,6 +907,10 @@
                                    const char *fontset_name)
 {
     R_XFont *tmp = (R_XFont *) malloc(sizeof(R_XFont));
+    if (!tmp) {
+       error(_("Unable to allocate memory for LoadQueryFontSet"));
+       return;
+    }
     XFontSet fontset;
     int  /*i,*/ missing_charset_count;
     char **missing_charset_list, *def_string;
	 
In directory 'src/modules/internet', file 'Rhttpd.c', I found a 
call to calloc() which does not check for a return value of NULL
indicating failure.  The patch file below corrects this issue:

--- Rhttpd.c.orig       2015-04-06 16:44:49.500351735 -0700
+++ Rhttpd.c    2015-04-06 16:50:16.901962796 -0700
@@ -1133,6 +1133,8 @@
     if (cl_sock == INVALID_SOCKET) /* accept failed, don't bother */
        return;
     c = (httpd_conn_t*) calloc(1, sizeof(httpd_conn_t));
+    if (!c)
+       return; /* unable to allocate memory, so go home */
     c->sock = cl_sock;
     c->peer = peer_sa.sin_addr;
 #ifndef _WIN32
 
 In directory 'src/modules/internet', file 'internet.c', there are
 some calls to malloc() which are not checked for a return value
 of NULL, indicating failure.  The patch file below fixes this issue:
 
--- internet.c.orig     2015-04-06 16:54:17.190502234 -0700
+++ internet.c  2015-04-06 16:57:51.286712761 -0700
@@ -745,6 +745,10 @@
        }*/
 
     wictxt = (WIctxt) malloc(sizeof(wIctxt));
+    if (!wictxt) {
+       warning(_("Unable to allocate memory for wictxt in R_HTTPOpen"));
+       return NULL;
+    }
     wictxt->length = -1;
     wictxt->type = NULL;
     wictxt->hand =
@@ -909,6 +913,11 @@
     WIctxt  wictxt;
 
     wictxt = (WIctxt) malloc(sizeof(wIctxt));
+    if (!wictxt) {
+       warning(_("Unable to allocate memory for wictxt in R_FTPOpen"));
+       return NULL;
+    }
+
     wictxt->length = -1;
     wictxt->type = NULL;
 
 In directory 'src/modules/internet', file 'sockconn.c', there is a
 call to malloc() without a check for a return value of NULL, indicating
 failure.  The patch file below corrects this issue:
 
--- sockconn.c.orig     2015-04-06 17:04:27.699094736 -0700
+++ sockconn.c  2015-04-06 17:07:12.849084451 -0700
@@ -75,6 +75,10 @@
        }
        free(con->description);
        con->description = (char *) malloc(strlen(buf) + 10);
+       if (!con->description) {
+           error(_("allocation of socket connection failed"));
+           return FALSE;
+       }
        sprintf(con->description, "<-%s:%d", buf, this->port);
        R_SockClose(sock1);
     } else {
	 
In directory 'src/unix', file 'sys-std.c', there is a call to
calloc() which is not checked for a return value of NULL, indicating
failure.  The patch file below corrects this issue:

--- sys-std.c.orig      2015-04-06 17:13:12.836837043 -0700
+++ sys-std.c   2015-04-06 17:15:20.094010776 -0700
@@ -203,6 +203,10 @@
 {
     InputHandler *input, *tmp;
     input = (InputHandler*) calloc(1, sizeof(InputHandler));
+    if (!input) {
+       error(_("memory allocation error in InputHandler..."));
+       return(input);
+    }
 
     input->activity = activity;
     input->fileDescriptor = fd;
	 
I am attaching the patch file(s) to this bug report...

Bill Parker (wp02855 at gmail dot com)
Comment 1 Bill Parker 2015-04-07 17:30:23 UTC
Created attachment 1784 [details]
patch file for this bug report

Patch file 'dataentry.c' for this bug report...
Comment 2 Bill Parker 2015-04-07 17:31:11 UTC
Created attachment 1785 [details]
patch file for this bug report

Patch file 'devX11.c' for this bug report...
Comment 3 Bill Parker 2015-04-07 17:32:12 UTC
Created attachment 1786 [details]
patch file for this bug report

Patch file 'RHttpd.c' for this bug report...
Comment 4 Bill Parker 2015-04-07 17:32:49 UTC
Created attachment 1787 [details]
patch file for this bug report

Patch file 'internet.c' for this bug report...
Comment 5 Bill Parker 2015-04-07 17:33:31 UTC
Created attachment 1788 [details]
patch file for this bug report

Patch file 'sockconn.c' for this bug report...
Comment 6 Bill Parker 2015-04-07 17:34:14 UTC
Created attachment 1789 [details]
patch file for this bug report

Patch file 'sys-std.c' for this bug report...