From 7aef1c5997fddc58350bb5cafb0dad1ada3131ec Mon Sep 17 00:00:00 2001
From: deraadt <>
Date: Wed, 8 Oct 2014 05:33:31 +0000
Subject: [PATCH] using reallocarray() gives us multiplicative integer overflow
 checking in case something wants to create massive amounts of environment,
 like a bit more than 1/4 of a 32-bit address space.  unrealistic -- but why
 audit one code path, and not treat others the same?  then you have to
 re-engage everytime you see the code.  read the news, that isn't what
 developers do.  At least if the code paths look the same, there is hope,
 because they are easier to verify for correctness.  developers need to give
 other developers a chance to want to care.

---
 src/lib/libc/stdlib/setenv.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/src/lib/libc/stdlib/setenv.c b/src/lib/libc/stdlib/setenv.c
index 9060fdba..10b55445 100644
--- a/src/lib/libc/stdlib/setenv.c
+++ b/src/lib/libc/stdlib/setenv.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: setenv.c,v 1.14 2012/09/23 16:08:04 jeremy Exp $ */
+/*	$OpenBSD: setenv.c,v 1.15 2014/10/08 05:33:31 deraadt Exp $ */
 /*
  * Copyright (c) 1987 Regents of the University of California.
  * All rights reserved.
@@ -71,7 +71,7 @@ putenv(char *str)
 	for (P = environ; *P != NULL; P++)
 		;
 	cnt = P - environ;
-	P = (char **)realloc(lastenv, sizeof(char *) * (cnt + 2));
+	P = reallocarray(lastenv, cnt + 2, sizeof(char *));
 	if (!P)
 		return (-1);
 	if (lastenv != environ)
@@ -129,7 +129,7 @@ setenv(const char *name, const char *value, int rewrite)
 		for (P = environ; *P != NULL; P++)
 			;
 		cnt = P - environ;
-		P = (char **)realloc(lastenv, sizeof(char *) * (cnt + 2));
+		P = reallocarray(lastenv, cnt + 2, sizeof(char *));
 		if (!P)
 			return (-1);
 		if (lastenv != environ)