From 93a9caecd5bb549cb51360173959a7f819d9c9ae Mon Sep 17 00:00:00 2001
From: deraadt <>
Date: Sun, 2 Sep 2007 15:19:18 +0000
Subject: [PATCH] use calloc() to avoid malloc(n * m) overflows; checked by djm
 canacar jsg

---
 src/lib/libc/stdlib/hcreate.c   | 4 ++--
 src/lib/libc/stdlib/radixsort.c | 4 ++--
 src/lib/libc/string/bm.c        | 4 ++--
 3 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/src/lib/libc/stdlib/hcreate.c b/src/lib/libc/stdlib/hcreate.c
index f8df1bcd..094f32c1 100644
--- a/src/lib/libc/stdlib/hcreate.c
+++ b/src/lib/libc/stdlib/hcreate.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: hcreate.c,v 1.3 2005/10/10 17:37:44 espie Exp $	*/
+/*	$OpenBSD: hcreate.c,v 1.4 2007/09/02 15:19:17 deraadt Exp $	*/
 /*	$NetBSD: hcreate.c,v 1.5 2004/04/23 02:48:12 simonb Exp $	*/
 
 /*
@@ -117,7 +117,7 @@ hcreate(size_t nel)
 	
 	/* Allocate the table. */
 	htablesize = nel;
-	htable = malloc(htablesize * sizeof htable[0]);
+	htable = calloc(htablesize, sizeof htable[0]);
 	if (htable == NULL) {
 		errno = ENOMEM;
 		return 0;
diff --git a/src/lib/libc/stdlib/radixsort.c b/src/lib/libc/stdlib/radixsort.c
index 0b2ff270..49d03b52 100644
--- a/src/lib/libc/stdlib/radixsort.c
+++ b/src/lib/libc/stdlib/radixsort.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: radixsort.c,v 1.8 2005/08/08 08:05:37 espie Exp $ */
+/*	$OpenBSD: radixsort.c,v 1.9 2007/09/02 15:19:17 deraadt Exp $ */
 /*-
  * Copyright (c) 1990, 1993
  *	The Regents of the University of California.  All rights reserved.
@@ -104,7 +104,7 @@ sradixsort(const u_char **a, int n, const u_char *tab, u_int endch)
 	if (n < THRESHOLD)
 		simplesort(a, n, 0, tr, endch);
 	else {
-		if ((ta = malloc(n * sizeof(a))) == NULL)
+		if ((ta = calloc(n, sizeof(a))) == NULL)
 			return (-1);
 		r_sort_b(a, ta, n, 0, tr, endch);
 		free(ta);
diff --git a/src/lib/libc/string/bm.c b/src/lib/libc/string/bm.c
index 829c2408..2c4c6ca7 100644
--- a/src/lib/libc/string/bm.c
+++ b/src/lib/libc/string/bm.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: bm.c,v 1.6 2005/08/08 08:05:37 espie Exp $ */
+/*	$OpenBSD: bm.c,v 1.7 2007/09/02 15:19:18 deraadt Exp $ */
 /*-
  * Copyright (c) 1994
  *	The Regents of the University of California.  All rights reserved.
@@ -104,7 +104,7 @@ bm_comp(u_char const *pb, size_t len, u_char const *freq)
 		goto mem;
 	memcpy(pat->pat, pb, pat->patlen);
 						/* get skip delta */
-	if ((pat->delta = malloc(256 * sizeof(*d))) == NULL)
+	if ((pat->delta = calloc(256, sizeof(*d))) == NULL)
 		goto mem;
 	for (j = 0, d = pat->delta; j < 256; j++)
 		d[j] = pat->patlen;