From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 11549 invoked by alias); 25 Jul 2007 21:04:56 -0000 Received: (qmail 11541 invoked by uid 22791); 25 Jul 2007 21:04:56 -0000 X-Spam-Check-By: sourceware.org Received: from b.mail.sonic.net (HELO b.mail.sonic.net) (64.142.19.5) by sourceware.org (qpsmtpd/0.31) with ESMTP; Wed, 25 Jul 2007 21:04:54 +0000 Received: from webmail.sonic.net (b.webmail.sonic.net [64.142.100.148]) by b.mail.sonic.net (8.13.8.Beta0-Sonic/8.13.7) with ESMTP id l6PL4lov031357; Wed, 25 Jul 2007 14:04:47 -0700 Received: from 12.7.175.2 (SquirrelMail authenticated user msnyder) by webmail.sonic.net with HTTP; Wed, 25 Jul 2007 14:04:47 -0700 (PDT) Message-ID: <10401.12.7.175.2.1185397487.squirrel@webmail.sonic.net> In-Reply-To: References: <14938.12.7.175.2.1185390419.squirrel@webmail.sonic.net> Date: Wed, 25 Jul 2007 21:23:00 -0000 Subject: Re: [PATCH] aout relocs From: msnyder@sonic.net To: "Ian Lance Taylor" Cc: msnyder@sonic.net, binutils@sourceware.org User-Agent: SquirrelMail/1.4.9a MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit Mailing-List: contact binutils-help@sourceware.org; run by ezmlm Precedence: bulk List-Id: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: binutils-owner@sourceware.org X-SW-Source: 2007-07/txt/msg00415.txt.bz2 > msnyder@sonic.net writes: > >> As near as I can tell, if reloc_size is zero, the routine does >> nothing useful. Maybe it will never be zero, but if it is, a few >> iffy things will happen: >> >> * we'll call malloc with a size of zero, which is ill defined, >> and later free the result > > No, we'll call bfd_malloc with a size of zero. That is not > ill-defined. With hat in hand, are you sure? bfd_malloc does not check for size == 0 before it calls malloc, and malloc(0) is "implementation defined" (whatever that may mean). > It will either return NULL, or not, as (confusingly) > specified in the C standard. Passing a NULL pointer to free will > always work. > >> * we'll call bfd_bread with a size of zero, and > > Which is fine. Again, are you sure? bfd_bread doesn't seem to check size either, and it passes it to memcpy. Is memcpy(x,y,0) well defined? >> * a potentially null pointer may slip thru the cracks. > > I'm not sure which pointer you mean here. OK: we have relocs = bfd_malloc (reloc_size); // which might be zero if (relocs == NULL && reloc_size != 0) bail; So now it is possible that relocs == NULL and reloc_size == 0. And then, if (bfd_bread (relocs, reloc_size, abfd)... And bfd_bread does this: memcpy (ptr, bim->buffer + abfd->where, size); where both ptr and size might be zero. Note, sorry about the changelog, I'll take care of that. > Why aout? I know, I know... I'm looking at a Coverity scan.