From 2e783a47076bd0994b6ce86df7ec967bc1c2da63 Mon Sep 17 00:00:00 2001
From: Simo Sorce <idra@samba.org>
Date: Sun, 12 Aug 2001 17:30:01 +0000
Subject: this is a big global fix for the ptr = Realloc(ptr, size) bug. many
 possible mem leaks, and segfaults fixed.

someone should port this fix to 2.2 also.
(This used to be commit fa8e55b8b465114ce209344965c1ca0333b84db9)
---
 source3/rpc_parse/parse_creds.c   | 20 ++++++++++++--------
 source3/rpc_parse/parse_spoolss.c | 33 ++++++++++++++++++++++++---------
 2 files changed, 36 insertions(+), 17 deletions(-)

(limited to 'source3/rpc_parse')

diff --git a/source3/rpc_parse/parse_creds.c b/source3/rpc_parse/parse_creds.c
index 7bdbe65880..ae8ba23a56 100644
--- a/source3/rpc_parse/parse_creds.c
+++ b/source3/rpc_parse/parse_creds.c
@@ -90,8 +90,7 @@ BOOL make_creds_unix_sec(CREDS_UNIX_SEC *r_u,
 	r_u->uid      = uid;
 	r_u->gid      = gid;
 	r_u->num_grps = num_grps;
-	r_u->grps = (uint32*)Realloc(NULL, sizeof(r_u->grps[0]) *
-				       r_u->num_grps);
+	r_u->grps = (uint32*)malloc(sizeof(r_u->grps[0]) * r_u->num_grps);
 	if (r_u->grps == NULL && num_grps != 0)
 	{
 		return False;
@@ -123,14 +122,17 @@ BOOL creds_io_unix_sec(char *desc, CREDS_UNIX_SEC *r_u, prs_struct *ps, int dept
 	prs_uint32("num_grps", ps, depth, (uint32 *)&(r_u->num_grps));
 	if (r_u->num_grps != 0)
 	{
-		r_u->grps = (uint32*)Realloc(r_u->grps,
+		uint32 *tgr;
+		
+		tgr = (uint32*)Realloc(r_u->grps,
 				       sizeof(r_u->grps[0]) *
 				       r_u->num_grps);
-		if (r_u->grps == NULL)
+		if (tgr == NULL)
 		{
 			creds_free_unix_sec(r_u);
 			return False;
 		}
+		else r_u->grps = tgr;
 	}
 	for (i = 0; i < r_u->num_grps; i++)
 	{
@@ -165,8 +167,7 @@ BOOL make_creds_nt_sec(CREDS_NT_SEC *r_u,
 
 	sid_copy(&r_u->sid, sid);
 	r_u->num_grps = num_grps;
-	r_u->grp_rids = (uint32*)Realloc(NULL, sizeof(r_u->grp_rids[0]) *
-				       r_u->num_grps);
+	r_u->grp_rids = (uint32*)malloc(sizeof(r_u->grp_rids[0]) * r_u->num_grps);
 
 	if (r_u->grp_rids == NULL && num_grps != 0)
 	{
@@ -199,14 +200,17 @@ BOOL creds_io_nt_sec(char *desc, CREDS_NT_SEC *r_u, prs_struct *ps, int depth)
 	prs_uint32("num_grps", ps, depth, &(r_u->num_grps));
 	if (r_u->num_grps != 0)
 	{
-		r_u->grp_rids = (uint32*)Realloc(r_u->grp_rids,
+		uint32 *tgrid;
+		
+		tgrid = (uint32*)Realloc(r_u->grp_rids,
 				       sizeof(r_u->grp_rids[0]) *
 				       r_u->num_grps);
-		if (r_u->grp_rids == NULL)
+		if (tgrid == NULL)
 		{
 			creds_free_nt_sec(r_u);
 			return False;
 		}
+		else r_u->grp_rids = tgrid;
 	}
 	for (i = 0; i < r_u->num_grps; i++)
 	{
diff --git a/source3/rpc_parse/parse_spoolss.c b/source3/rpc_parse/parse_spoolss.c
index b568995752..dd2c4a541a 100644
--- a/source3/rpc_parse/parse_spoolss.c
+++ b/source3/rpc_parse/parse_spoolss.c
@@ -1861,12 +1861,17 @@ static BOOL smb_io_relarraystr(char *desc, NEW_BUFFER *buffer, int depth, uint16
 			   an extra NULL for termination */
 			if (l_chaine > 0)
 			{
+				uint16 *tc2;
+			
 				realloc_size = (l_chaine2+l_chaine+2)*sizeof(uint16);
 
 				/* Yes this should be realloc - it's freed below. JRA */
 
-				if((chaine2=(uint16 *)Realloc(chaine2, realloc_size)) == NULL)
+				if((tc2=(uint16 *)Realloc(chaine2, realloc_size)) == NULL) {
+					if (chaine2) free(chaine2);
 					return False;
+				}
+				else chaine2 = tc2;
 				memcpy(chaine2+l_chaine2, chaine.buffer, (l_chaine+1)*sizeof(uint16));
 				l_chaine2+=l_chaine+1;
 			}
@@ -4703,7 +4708,7 @@ BOOL spool_io_printer_driver_info_level_6(char *desc, SPOOL_PRINTER_DRIVER_INFO_
 ********************************************************************/  
 static BOOL uniarray_2_dosarray(BUFFER5 *buf5, fstring **ar)
 {
-	fstring f;
+	fstring f, *tar;
 	int n = 0;
 	char *src;
 
@@ -4715,7 +4720,9 @@ static BOOL uniarray_2_dosarray(BUFFER5 *buf5, fstring **ar)
 	while (src < ((char *)buf5->buffer) + buf5->buf_len*2) {
 		rpcstr_pull(f, src, sizeof(f)-1, -1, 0);
 		src = skip_unibuf(src, 2*buf5->buf_len - PTR_DIFF(src,buf5->buffer));
-		*ar = (fstring *)Realloc(*ar, sizeof(fstring)*(n+2));
+		tar = (fstring *)Realloc(*ar, sizeof(fstring)*(n+2));
+		if (!tar) return False;
+		else *ar = tar;
 		fstrcpy((*ar)[n], f);
 		n++;
 	}
@@ -4993,9 +5000,11 @@ BOOL uni_2_asc_printer_driver_3(SPOOL_PRINTER_DRIVER_INFO_LEVEL_3 *uni,
 	DEBUGADD(8,( "monitorname:     %s\n", d->monitorname));
 	DEBUGADD(8,( "defaultdatatype: %s\n", d->defaultdatatype));
 
-	uniarray_2_dosarray(&uni->dependentfiles, &d->dependentfiles );
-
-	return True;
+	if (uniarray_2_dosarray(&uni->dependentfiles, &d->dependentfiles ))
+		return True;
+	
+	free(*asc);
+	return False;
 }
 
 /*******************************************************************
@@ -5038,10 +5047,16 @@ BOOL uni_2_asc_printer_driver_6(SPOOL_PRINTER_DRIVER_INFO_LEVEL_6 *uni,
 	DEBUGADD(8,( "monitorname:     %s\n", d->monitorname));
 	DEBUGADD(8,( "defaultdatatype: %s\n", d->defaultdatatype));
 
-	uniarray_2_dosarray(&uni->dependentfiles, &d->dependentfiles );
-	uniarray_2_dosarray(&uni->previousnames, &d->previousnames );
-
+	if (!uniarray_2_dosarray(&uni->dependentfiles, &d->dependentfiles ))
+		goto error;
+	if (!uniarray_2_dosarray(&uni->previousnames, &d->previousnames ))
+		goto error;
+	
 	return True;
+	
+error:
+	free(*asc);
+	return False;
 }
 
 BOOL uni_2_asc_printer_info_2(const SPOOL_PRINTER_INFO_LEVEL_2 *uni,
-- 
cgit