bugfix 1566 NULL pointer dereference

Thanks Bill Parker

diff --git a/Changelog b/Changelog
index 164d65b3dc843bc8fe9ae5a1210e27fb8be20c91..da0e9b829e301852e5da8de2c36030e58646fc72 100644 (file)
--- a/Changelog
+++ b/Changelog
@@ -1,4 +1,6 @@
 1.7.1  ????-??-??
+       * bugfix #1566: Possible NULL Pointer Dereference
+         Thanks Bill Parker
        * bugfix #1260: Anticipate strchr returning NULL on unfound char
          Thanks Stephan Zeisberg
        * bugfix #1257: Free after reallocing to 0 size

diff --git a/duration.c b/duration.c
index 1abeb12515d80f1c13c7f958e200da60422fc264..bc8a72cf84d64dae2114674e65a095d626f94654 100644 (file)
--- a/duration.c
+++ b/duration.c
@@ -215,9 +215,10 @@ digits_in_number(time_t duration)
 char*
 ldns_duration2string(const ldns_duration_type* duration)
 {
-    char* str = NULL, *num = NULL;
+    char* str = NULL;
     size_t count = 2;
     int T = 0;
+    char num[80];
 
     if (!duration) {
         return NULL;
@@ -251,61 +252,55 @@ ldns_duration2string(const ldns_duration_type* duration)
         count++;
     }
 
-    str = (char*) calloc(count, sizeof(char));
+    if (!(str = (char*) calloc(count, sizeof(char))))
+           return NULL;
     str[0] = 'P';
     str[1] = '\0';
 
     if (duration->years > 0) {
         count = digits_in_number(duration->years);
-        num = (char*) calloc(count+2, sizeof(char));
+       if (count > sizeof(num) - 2) return NULL; /* int's > 256 bits */
         snprintf(num, count+2, "%uY", (unsigned int) duration->years);
         str = strncat(str, num, count+2);
-        free((void*) num);
     }
     if (duration->months > 0) {
         count = digits_in_number(duration->months);
-        num = (char*) calloc(count+2, sizeof(char));
+       if (count > sizeof(num) - 2) return NULL;
         snprintf(num, count+2, "%uM", (unsigned int) duration->months);
         str = strncat(str, num, count+2);
-        free((void*) num);
     }
     if (duration->weeks > 0) {
         count = digits_in_number(duration->weeks);
-        num = (char*) calloc(count+2, sizeof(char));
+       if (count > sizeof(num) - 2) return NULL;
         snprintf(num, count+2, "%uW", (unsigned int) duration->weeks);
         str = strncat(str, num, count+2);
-        free((void*) num);
     }
     if (duration->days > 0) {
         count = digits_in_number(duration->days);
-        num = (char*) calloc(count+2, sizeof(char));
+       if (count > sizeof(num) - 2) return NULL;
         snprintf(num, count+2, "%uD", (unsigned int) duration->days);
         str = strncat(str, num, count+2);
-        free((void*) num);
     }
     if (T) {
         str = strncat(str, "T", 1);
     }
     if (duration->hours > 0) {
         count = digits_in_number(duration->hours);
-        num = (char*) calloc(count+2, sizeof(char));
+       if (count > sizeof(num) - 2) return NULL;
         snprintf(num, count+2, "%uH", (unsigned int) duration->hours);
         str = strncat(str, num, count+2);
-        free((void*) num);
     }
     if (duration->minutes > 0) {
         count = digits_in_number(duration->minutes);
-        num = (char*) calloc(count+2, sizeof(char));
+       if (count > sizeof(num) - 2) return NULL;
         snprintf(num, count+2, "%uM", (unsigned int) duration->minutes);
         str = strncat(str, num, count+2);
-        free((void*) num);
     }
     if (duration->seconds > 0) {
         count = digits_in_number(duration->seconds);
-        num = (char*) calloc(count+2, sizeof(char));
+       if (count > sizeof(num) - 2) return NULL;
         snprintf(num, count+2, "%uS", (unsigned int) duration->seconds);
         str = strncat(str, num, count+2);
-        free((void*) num);
     }
     return str;
 }