Attachment #27150 for bug #64119

View | Details | Raw Unified | Return to bug 64119
Collapse All | Expand All

Lines 1-4 Link Here

(-)samba-2.2.8a.orig/source/aparser/parser.c (+13 lines)
1	#include "parser.h"	1	#include "parser.h"
		2	#include <limits.h>
		3
2		4
3	/*******************************************************************	5	/*******************************************************************
4	Attempt, if needed, to grow a data buffer.	6	Attempt, if needed, to grow a data buffer.
Lines 44-49 Link Here
44	* If the current buffer size is bigger than the space needed, just	46	* If the current buffer size is bigger than the space needed, just
45	* double it, else add extra_space.	47	* double it, else add extra_space.
46	*/	48	*/
		49	if(ps->buffer_size >= UINT_MAX/2)
		50	{
		51	DEBUG(0,("io_grow: integer overflow detected.\n"));
		52	return False;
		53	}
		54	if(ps->buffer_size >= UINT_MAX - extra_space)
		55	{
		56	DEBUG(0,("io_grow: integer overflow detected.\n"));
		57	return False;
		58	}
		59
47	new_size = MAX(ps->buffer_size*2, ps->buffer_size + extra_space);	60	new_size = MAX(ps->buffer_size*2, ps->buffer_size + extra_space);
48		61
49	if ((new_data = Realloc(ps->data_p, new_size)) == NULL) {	62	if ((new_data = Realloc(ps->data_p, new_size)) == NULL) {

Lines 126-132 Link Here

(-)samba-2.2.8a.orig/source/auth/pampass.c (-2 / +2 lines)
126	return PAM_CONV_ERR;	126	return PAM_CONV_ERR;
127	}	127	}
128		128
129	reply = malloc(sizeof(struct pam_response) * num_msg);	129	reply = malloc_array(sizeof(struct pam_response), num_msg);
130	if (!reply)	130	if (!reply)
131	return PAM_CONV_ERR;	131	return PAM_CONV_ERR;
132		132
Lines 286-292 Link Here
286	return PAM_CONV_ERR;	286	return PAM_CONV_ERR;
287	}	287	}
288		288
289	reply = malloc(sizeof(struct pam_response) * num_msg);	289	reply = malloc_array(sizeof(struct pam_response), num_msg);
290	if (!reply) {	290	if (!reply) {
291	DEBUG(0,("smb_pam_passchange_conv: malloc for reply failed!\n"));	291	DEBUG(0,("smb_pam_passchange_conv: malloc for reply failed!\n"));
292	free_pw_chat(pw_chat);	292	free_pw_chat(pw_chat);

Lines 421-426 Link Here

(-)samba-2.2.8a.orig/source/client/client.c (-1 / +7 lines)
421	long new_end = do_list_queue_end + ((long)strlen(entry)) + 1;	421	long new_end = do_list_queue_end + ((long)strlen(entry)) + 1;
422	while (new_end > do_list_queue_size)	422	while (new_end > do_list_queue_size)
423	{	423	{
		424	if(do_list_queue_size >= UINT_MAX/2)
		425	{
		426	DEBUG(0,("add_to_do_list_queue: integer overflow detected.\n"));
		427	reset_do_list_queue();
		428	return;
		429	}
424	do_list_queue_size *= 2;	430	do_list_queue_size *= 2;
425	DEBUG(4,("enlarging do_list_queue to %d\n",	431	DEBUG(4,("enlarging do_list_queue to %d\n",
426	(int)do_list_queue_size));	432	(int)do_list_queue_size));
Lines 2045-2051 Link Here
2045	/* for words not at the start of the line fallback to filename completion */	2051	/* for words not at the start of the line fallback to filename completion */
2046	if (start) return NULL;	2052	if (start) return NULL;
2047		2053
2048	matches = (char *)malloc(sizeof(matches[0])MAX_COMPLETIONS);	2054	matches = (char **)malloc_array(sizeof(matches[0]), MAX_COMPLETIONS);
2049	if (!matches) return NULL;	2055	if (!matches) return NULL;
2050		2056
2051	matches[count++] = strdup(text);	2057	matches[count++] = strdup(text);

Lines 113-119 Link Here

(-)samba-2.2.8a.orig/source/client/clitar.c (-10 / +52 lines)
113		113
114	char tar_type='\0';	114	char tar_type='\0';
115	static char **cliplist=NULL;	115	static char **cliplist=NULL;
116	static int clipn=0;	116	static unsigned int clipn=0;
117	static BOOL must_free_cliplist = False;	117	static BOOL must_free_cliplist = False;
118		118
119	extern file_info def_finfo;	119	extern file_info def_finfo;
Lines 157-162 Link Here
157	{	157	{
158	char *tmp;	158	char *tmp;
159		159
		160	if(size >= INT_MAX-1)
		161	{
		162	DEBUG(0, ("string_create_s: integer overflow detected."));
		163	return NULL;
		164	}
		165
160	tmp = (char *)malloc(size+1);	166	tmp = (char *)malloc(size+1);
161		167
162	if (tmp == NULL) {	168	if (tmp == NULL) {
Lines 187-192 Link Here
187	if (l >= NAMSIZ - 1) {	193	if (l >= NAMSIZ - 1) {
188	/* write a GNU tar style long header */	194	/* write a GNU tar style long header */
189	char *b;	195	char *b;
		196
		197	if(l >= (INT_MAX - TBLOCK - 100))
		198	{
		199	DEBUG(0,("writetarheader: integer overflow detected.\n"));
		200	exit(1);
		201	}
190	b = (char *)malloc(l+TBLOCK+100);	202	b = (char *)malloc(l+TBLOCK+100);
191	if (!b) {	203	if (!b) {
192	DEBUG(0,("out of memory\n"));	204	DEBUG(0,("out of memory\n"));
Lines 388-394 Link Here
388	{	400	{
389	/* initialize tar buffer */	401	/* initialize tar buffer */
390	tbufsiz=blocksize*TBLOCK;	402	tbufsiz=blocksize*TBLOCK;
391	tarbuf=malloc(tbufsiz); /* FIXME: We might not get the buffer */	403	tarbuf=malloc(tbufsiz);
		404
		405	if(tarbuf == NULL)
		406	{
		407	DEBUG(0,("initarbuf: out of memory.\n"));
		408	exit(-1);
		409	}
392		410
393	/* reset tar buffer pointer and tar file counter and total dumped */	411	/* reset tar buffer pointer and tar file counter and total dumped */
394	tp=0; ntarf=0; ttarf=0;	412	tp=0; ntarf=0; ttarf=0;
Lines 1128-1138 Link Here
1128	*/	1146	*/
1129	static char * get_longfilename(file_info2 finfo)	1147	static char * get_longfilename(file_info2 finfo)
1130	{	1148	{
1131	int namesize = strlen(finfo.name) + strlen(cur_dir) + 2;	1149	size_t namesize = strlen(finfo.name) + strlen(cur_dir) + 2;
1132	char *longname = malloc(namesize);	1150	char *longname = malloc(namesize);
1133	SMB_BIG_INT offset = 0, left = finfo.size;	1151	SMB_BIG_INT offset = 0, left = finfo.size;
1134	BOOL first = True;	1152	BOOL first = True;
1135		1153
		1154	if(strlen(finfo.name) >= (UINT_MAX - strlen(cur_dir) - 2))
		1155	{
		1156	DEBUG(0,("get_longfilename: integer overflow detected.\n"));
		1157	return NULL;
		1158	}
		1159	namesize = strlen(finfo.name) + strlen(cur_dir) + 2;
		1160	longname = malloc(namesize);
		1161
1136	DEBUG(5, ("Restoring a long file name: %s\n", finfo.name));	1162	DEBUG(5, ("Restoring a long file name: %s\n", finfo.name));
1137	DEBUG(5, ("Len = %.0f\n", (double)finfo.size));	1163	DEBUG(5, ("Len = %.0f\n", (double)finfo.size));
1138		1164
Lines 1583-1589 Link Here
1583	FILE *inclusion = NULL;	1609	FILE *inclusion = NULL;
1584	char buf[MAXPATHLEN + 1];	1610	char buf[MAXPATHLEN + 1];
1585	char *inclusion_buffer = NULL;	1611	char *inclusion_buffer = NULL;
1586	int inclusion_buffer_size = 0;	1612	size_t inclusion_buffer_size = 0;
1587	int inclusion_buffer_sofar = 0;	1613	int inclusion_buffer_sofar = 0;
1588	char *p;	1614	char *p;
1589	char *tmpstr;	1615	char *tmpstr;
Lines 1616-1621 Link Here
1616		1642
1617	if ((strlen(buf) + 1 + inclusion_buffer_sofar) >= inclusion_buffer_size) {	1643	if ((strlen(buf) + 1 + inclusion_buffer_sofar) >= inclusion_buffer_size) {
1618	char *ib;	1644	char *ib;
		1645	if(inclusion_buffer_size >= UINT_MAX/2)
		1646	{
		1647	DEBUG(0,("read_inclusion_file: integer overflow detected.\n"));
		1648	return 0;
		1649	}
1619	inclusion_buffer_size *= 2;	1650	inclusion_buffer_size *= 2;
1620	ib = Realloc(inclusion_buffer,inclusion_buffer_size);	1651	ib = Realloc(inclusion_buffer,inclusion_buffer_size);
1621	if (! ib) {	1652	if (! ib) {
Lines 1628-1640 Link Here
1628		1659
1629	safe_strcpy(inclusion_buffer + inclusion_buffer_sofar, buf, inclusion_buffer_size - inclusion_buffer_sofar);	1660	safe_strcpy(inclusion_buffer + inclusion_buffer_sofar, buf, inclusion_buffer_size - inclusion_buffer_sofar);
1630	inclusion_buffer_sofar += strlen(buf) + 1;	1661	inclusion_buffer_sofar += strlen(buf) + 1;
		1662
		1663	if(clipn > (UINT_MAX-1))
		1664	{
		1665	DEBUG(0,("read_inclusion_file: integer overflow detected.\n"));
		1666	abort();
		1667	}
1631	clipn++;	1668	clipn++;
1632	}	1669	}
1633	fclose(inclusion);	1670	fclose(inclusion);
1634		1671
1635	if (! error) {	1672	if (! error) {
1636	/* Allocate an array of clipn + 1 char's for cliplist /	1673	/* Allocate an array of clipn + 1 char's for cliplist /
1637	cliplist = malloc((clipn + 1) * sizeof(char *));	1674	if(clipn > (UINT_MAX-1))
		1675	{
		1676	DEBUG(0,("read_inclusion_file: integer overflow detected.\n"));
		1677	abort();
		1678	}
		1679	cliplist = malloc_array((clipn + 1), sizeof(char *));
1638	if (cliplist == NULL) {	1680	if (cliplist == NULL) {
1639	DEBUG(0,("failure allocating memory for cliplist\n"));	1681	DEBUG(0,("failure allocating memory for cliplist\n"));
1640	error = 1;	1682	error = 1;
Lines 1808-1820 Link Here
1808	} else if (Optind+1<argc && !tar_re_search) { /* For backwards compatibility */	1850	} else if (Optind+1<argc && !tar_re_search) { /* For backwards compatibility */
1809	char *tmpstr;	1851	char *tmpstr;
1810	char **tmplist;	1852	char **tmplist;
1811	int clipcount;	1853	unsigned int clipcount;
1812		1854
1813	cliplist=argv+Optind+1;	1855	cliplist=argv+Optind+1;
1814	clipn=argc-Optind-1;	1856	clipn=argc-Optind-1;
1815	clipcount = clipn;	1857	clipcount = clipn;
1816		1858
1817	if ((tmplist=malloc(clipnsizeof(char ))) == NULL) {	1859	if ((tmplist=malloc_array(clipn, sizeof(char *))) == NULL) {
1818	DEBUG(0, ("Could not allocate space to process cliplist, count = %i\n",	1860	DEBUG(0, ("Could not allocate space to process cliplist, count = %i\n",
1819	clipn)	1861	clipn)
1820	);	1862	);
Lines 1848-1865 Link Here
1848	if ((preg = (regex_t *)malloc(65536)) == NULL) {	1890	if ((preg = (regex_t *)malloc(65536)) == NULL) {
1849		1891
1850	DEBUG(0, ("Could not allocate buffer for regular expression search\n"));	1892	DEBUG(0, ("Could not allocate buffer for regular expression search\n"));
1851	return;	1893	return 0;
1852		1894
1853	}	1895	}
1854		1896
1855	if (errcode = regcomp(preg, argv[Optind + 1], REG_EXTENDED \| REG_ICASE)) {	1897	if((errcode = regcomp(preg, argv[Optind + 1], REG_EXTENDED \| REG_ICASE))) {
1856	char errstr[1024];	1898	char errstr[1024];
1857	size_t errlen;	1899	size_t errlen;
1858		1900
1859	errlen = regerror(errcode, preg, errstr, sizeof(errstr) - 1);	1901	errlen = regerror(errcode, preg, errstr, sizeof(errstr) - 1);
1860		1902
1861	DEBUG(0, ("Could not compile pattern buffer for re search: %s\n%s\n", argv[Optind + 1], errstr));	1903	DEBUG(0, ("Could not compile pattern buffer for re search: %s\n%s\n", argv[Optind + 1], errstr));
1862	return;	1904	return 0;
1863		1905
1864	}	1906	}
1865	#endif	1907	#endif

Lines 143-148 Link Here

(-)samba-2.2.8a.orig/source/groupdb/aliasdb.c (+7 lines)
143	if (alss == NULL \|\| num_alss == NULL \|\| als == NULL)	143	if (alss == NULL \|\| num_alss == NULL \|\| als == NULL)
144	return False;	144	return False;
145		145
		146	if( (num_alss) == INT_MAX \|\| ((num_alss)+1) >= UINT_MAX/sizeof(LOCAL_GRP))
		147	{
		148	DEBUG(0,("add_domain_alias: integer overflow detected.\n"));
		149	if (*alss)
		150	free(*alss);
		151	return False;
		152	}
146	talss = (LOCAL_GRP )Realloc((alss), ((num_alss)+1) sizeof(LOCAL_GRP));	153	talss = (LOCAL_GRP )Realloc((alss), ((num_alss)+1) sizeof(LOCAL_GRP));
147	if (talss == NULL) {	154	if (talss == NULL) {
148	if (*alss)	155	if (*alss)

Lines 128-133 Link Here

(-)samba-2.2.8a.orig/source/groupdb/aliasfile.c (+8 lines)
128	DOM_SID sid;	128	DOM_SID sid;
129	uint8 type;	129	uint8 type;
130		130
		131	if((num_mem) == INT_MAX \|\| ((num_mem)+1) >= UINT_MAX/sizeof(LOCAL_GRP_MEMBER))
		132	{
		133	DEBUG(0,("get_alias_memebers: integer overflow detected.\n"));
		134	if (*members)
		135	free(*members);
		136	return NULL;
		137	}
		138
131	if (lookup_sid(name, &sid, &type)) {	139	if (lookup_sid(name, &sid, &type)) {
132	mbrs = Realloc((members), ((num_mem)+1) * sizeof(LOCAL_GRP_MEMBER));	140	mbrs = Realloc((members), ((num_mem)+1) * sizeof(LOCAL_GRP_MEMBER));
133	(*num_mem)++;	141	(*num_mem)++;

Lines 141-146 Link Here

(-)samba-2.2.8a.orig/source/groupdb/groupdb.c (+8 lines)
141	if (grps == NULL \|\| num_grps == NULL \|\| grp == NULL)	141	if (grps == NULL \|\| num_grps == NULL \|\| grp == NULL)
142	return False;	142	return False;
143		143
		144	if((num_grps) == INT_MAX \|\| (num_grps)+1 >= UINT_MAX/sizeof(DOMAIN_GRP))
		145	{
		146	DEBUG(0,("add_domain_group: integer overflow detected.\n"));
		147	if (*grps)
		148	free(*grps);
		149	return False;
		150	}
		151
144	tgrps = (DOMAIN_GRP )Realloc((grps), ((num_grps)+1) sizeof(DOMAIN_GRP));	152	tgrps = (DOMAIN_GRP )Realloc((grps), ((num_grps)+1) sizeof(DOMAIN_GRP));
145	if (tgrps == NULL) {	153	if (tgrps == NULL) {
146	if (*grps)	154	if (*grps)

Lines 129-134 Link Here

(-)samba-2.2.8a.orig/source/groupdb/groupfile.c (+8 lines)
129	{	129	{
130	DOMAIN_GRP_MEMBER *mbrs;	130	DOMAIN_GRP_MEMBER *mbrs;
131		131
		132	if((num_mem) == INT_MAX \|\| (num_mem)+1 >= UINT_MAX/sizeof(DOMAIN_GRP_MEMBER))
		133	{
		134	DEBUG(0,("get_group_members: integer overflow detected.\n"));
		135	if (*members)
		136	free(*members);
		137	return False;
		138	}
		139
132	mbrs = (DOMAIN_GRP_MEMBER )Realloc((members), ((num_mem)+1) sizeof(DOMAIN_GRP_MEMBER));	140	mbrs = (DOMAIN_GRP_MEMBER )Realloc((members), ((num_mem)+1) sizeof(DOMAIN_GRP_MEMBER));
133	if (mbrs == NULL) {	141	if (mbrs == NULL) {
134	if (*members)	142	if (*members)

Lines 145-150 Link Here

(-)samba-2.2.8a.orig/source/include/includes.h (+3 lines)
145		145
146	#ifdef HAVE_LIMITS_H	146	#ifdef HAVE_LIMITS_H
147	#include <limits.h>	147	#include <limits.h>
		148	#else
		149	#define UINT_MAX 4294967295U
		150	#define INT_MAX 2147483647
148	#endif	151	#endif
149		152
150	#ifdef HAVE_SYS_IOCTL_H	153	#ifdef HAVE_SYS_IOCTL_H





TALLOC_CTX *talloc_init(void);
void *talloc(TALLOC_CTX *t, size_t size);
void *talloc_array(TALLOC_CTX *ctx, size_t el_size, unsigned int count);
void *talloc_realloc(TALLOC_CTX *t, void *ptr, size_t size);
void talloc_destroy_pool(TALLOC_CTX *t);
void talloc_destroy(TALLOC_CTX *t);
size_t talloc_pool_size(TALLOC_CTX *t);
const char * talloc_pool_name(TALLOC_CTX const *t);
void *talloc_zero(TALLOC_CTX *t, size_t size);
void *talloc_zero_array(TALLOC_CTX *t, size_t el_size, unsigned int count);
void *talloc_memdup(TALLOC_CTX *t, const void *p, size_t size);
char *talloc_strdup(TALLOC_CTX *t, const char *p);
char *talloc_describe_all(TALLOC_CTX *rt);


/* The following definitions come from lib/util.c  */

void *malloc_array(size_t el_size, unsigned int count);
void *calloc_array(size_t size, size_t nmemb);
void *realloc_array(void *p,size_t el_size, unsigned int count);
const char *tmpdir(void);
BOOL in_group(gid_t group, gid_t current_gid, int ngroups, gid_t *groups);
const char *Atoic(const char *p, int *n, const char *c);

Lines 37-43 Link Here

(-)samba-2.2.8a.orig/source/lib/bitmap.c (-1 / +1 lines)
37	if (!bm) return NULL;	37	if (!bm) return NULL;
38		38
39	bm->n = n;	39	bm->n = n;
40	bm->b = (uint32 )malloc(sizeof(bm->b[0])(n+31)/32);	40	bm->b = (uint32 *)malloc_array(sizeof(bm->b[0]), (n+31)/32);
41	if (!bm->b) {	41	if (!bm->b) {
42	SAFE_FREE(bm);	42	SAFE_FREE(bm);
43	return NULL;	43	return NULL;

Lines 67-73 Link Here

(-)samba-2.2.8a.orig/source/lib/hash.c (-1 / +1 lines)
67		67
68	DEBUG(5, ("Hash size = %d.\n", table->size));	68	DEBUG(5, ("Hash size = %d.\n", table->size));
69		69
70	if(!(table->buckets = (ubi_dlList ) malloc(sizeof(ubi_dlList) table->size))) {	70	if(!(table->buckets = (ubi_dlList *) malloc_array(sizeof(ubi_dlList), table->size))) {
71	DEBUG(0,("hash_table_init: malloc fail !\n"));	71	DEBUG(0,("hash_table_init: malloc fail !\n"));
72	return False;	72	return False;
73	}	73	}

Lines 221-226 Link Here

(-)samba-2.2.8a.orig/source/lib/messages.c (+5 lines)
221	}	221	}
222		222
223	/* we're adding to an existing entry */	223	/* we're adding to an existing entry */
		224	if(dbuf.dsize >= (UINT_MAX-len) \|\| (dbuf.dsize+len) > (UINT_MAX-sizeof(rec)))
		225	{
		226	DEBUG(0,("message_send_pid: integer overflow detected.\n"));
		227	goto failed;
		228	}
224	p = (void *)malloc(dbuf.dsize + len + sizeof(rec));	229	p = (void *)malloc(dbuf.dsize + len + sizeof(rec));
225	if (!p) goto failed;	230	if (!p) goto failed;
226		231

Lines 202-208 Link Here

(-)samba-2.2.8a.orig/source/lib/replace.c (-1 / +1 lines)
202	struct group *g;	202	struct group *g;
203	char *gr;	203	char *gr;
204		204
205	if((grouplst = (gid_t )malloc(sizeof(gid_t) max_gr)) == NULL) {	205	if((grouplst = (gid_t *)malloc_array(sizeof(gid_t), max_gr)) == NULL) {
206	DEBUG(0,("initgroups: malloc fail !\n"));	206	DEBUG(0,("initgroups: malloc fail !\n"));
207	return -1;	207	return -1;
208	}	208	}




	 * acl[] array, this actually allocates an ACL with room
	 * for (count+1) entries
	 */
	if ((a = malloc_array(sizeof(*a) + count, sizeof(struct acl))) == NULL) {
		errno = ENOMEM;
		return NULL;
	}

		 * allocate a temporary buffer for the complete ACL
		 */
		acl_count = acc_acl->count + def_acl->count;
		acl_p = acl_buf = malloc_array(acl_count, sizeof(acl_buf[0]));

		if (acl_buf == NULL) {
			sys_acl_free_acl(tmp_acl);

{
	SMB_ACL_T	a;

	if (count < 0 || count > INT_MAX-sizeof(*a)) {
		errno = EINVAL;
		return NULL;
	}

		 * allocate a temporary buffer for the complete ACL
		 */
		acl_count = acc_acl->count + def_acl->count;
		acl_p = acl_buf = malloc_array(acl_count, sizeof(acl_buf[0]));

		if (acl_buf == NULL) {
			sys_acl_free_acl(tmp_acl);




	if (setlen == 0)
		setlen = groups_max();

	if((group_list = (GID_T *)malloc_array(setlen, sizeof(GID_T))) == NULL) {
		DEBUG(0,("sys_getgroups: Malloc fail.\n"));
		return -1;
	}

	 * GID_T array of size setlen.
	 */

	if((group_list = (GID_T *)malloc_array(setlen, sizeof(GID_T))) == NULL) {
		DEBUG(0,("sys_setgroups: Malloc fail.\n"));
		return -1;    
	}

	for( argcl = 1; ptr; ptr = strtok(NULL, " \t"))
		argcl++;

	if((argl = (char **)malloc_array((argcl + 1), sizeof(char *))) == NULL)
		return NULL;

	/*




	return p;
}

#define MAX_TALLOC_SIZE INT_MAX
void *talloc_array(TALLOC_CTX *ctx, size_t el_size, unsigned int count)
{
	if (count >= MAX_TALLOC_SIZE/el_size) {
		return NULL;
	}
	return talloc(ctx, el_size * count);
}

void *talloc_zero_array(TALLOC_CTX *t, size_t el_size, unsigned int count)
{
	void *p = talloc_array(t, el_size, count);

	if (p)
		memset(p, '\0', el_size*count);

	return p;
}


/** A talloc version of realloc */
void *talloc_realloc(TALLOC_CTX *t, void *ptr, size_t size)
{

Lines 336-342 Link Here

(-)samba-2.2.8a.orig/source/lib/username.c (-1 / +1 lines)
336	return False;	336	return False;
337	}	337	}
338		338
339	if ((groups = (gid_t )malloc(sizeof(gid_t) num_groups )) == NULL) {	339	if ((groups = (gid_t *)malloc_array(sizeof(gid_t), num_groups )) == NULL) {
340	DEBUG(0,("user_in_winbind_group_list: malloc fail.\n"));	340	DEBUG(0,("user_in_winbind_group_list: malloc fail.\n"));
341	goto err;	341	goto err;
342	}	342	}




fstring global_myworkgroup = "";
char **my_netbios_names;

/* a but huge but well... */
#define MAX_ALLOC_SIZE INT_MAX

/****************************************************************************
 Type-safe malloc.
****************************************************************************/

void *malloc_array(size_t el_size, unsigned int count)
{
	if (count >= MAX_ALLOC_SIZE/el_size) {
		return NULL;
	}
	return malloc(el_size*count);
}

/****************************************************************************
 Type-safe calloc.
****************************************************************************/

void *calloc_array(size_t size, size_t nmemb)
{
	if (nmemb >= MAX_ALLOC_SIZE/size) {
		return NULL;
	}
	return calloc(nmemb, size);
}

void *realloc_array(void *p,size_t el_size, unsigned int count)
{
	if (count >= MAX_ALLOC_SIZE/el_size) {
 		return NULL;
	}
	return Realloc(p,el_size*count);
}


/****************************************************************************
 Find a suitable temporary directory. The result should be copied immediately

	while ((p = Atoic(p, &val, ":,")) != NULL && (*p) != ':') {
		uint32 *tn;

		if((*count) == INT_MAX || ((*count)+1) >= INT_MAX/sizeof(uint32))
		{
			DEBUG(0,("get_numlist: integer overflow detected.\n"));
			SAFE_FREE(*num);
			return NULL;
		}
		tn = Realloc((*num), ((*count)+1) * sizeof(uint32));
		if (tn == NULL)
		{

Lines 367-372 Link Here

(-)samba-2.2.8a.orig/source/lib/util_file.c (-1 / +11 lines)
367	total = 0;	367	total = 0;
368		368
369	while ((n = read(fd, buf, sizeof(buf))) > 0) {	369	while ((n = read(fd, buf, sizeof(buf))) > 0) {
		370	if(total >= UINT_MAX-n)
		371	{
		372	DEBUG(0,("file_pload: integer overflow detected.\n"));
		373	close(fd);
		374	SAFE_FREE(p);
		375	return NULL;
		376	}
370	tp = Realloc(p, total + n + 1);	377	tp = Realloc(p, total + n + 1);
371	if (!tp) {	378	if (!tp) {
372	DEBUG(0,("file_pload: failed to exand buffer!\n"));	379	DEBUG(0,("file_pload: failed to exand buffer!\n"));
Lines 398-403 Link Here
398		405
399	if (sys_fstat(fd, &sbuf) != 0) return NULL;	406	if (sys_fstat(fd, &sbuf) != 0) return NULL;
400		407
		408	if(sbuf.st_size == UINT_MAX) /* very large file */
		409	return NULL;
		410
401	p = (char *)malloc(sbuf.st_size+1);	411	p = (char *)malloc(sbuf.st_size+1);
402	if (!p) return NULL;	412	if (!p) return NULL;
403		413
Lines 447-453 Link Here
447	if (s[0] == '\n') i++;	457	if (s[0] == '\n') i++;
448	}	458	}
449		459
450	ret = (char *)malloc(sizeof(ret[0])(i+2));	460	ret = (char **)malloc_array(sizeof(ret[0]), (i+2));
451	if (!ret) {	461	if (!ret) {
452	SAFE_FREE(p);	462	SAFE_FREE(p);
453	return NULL;	463	return NULL;

Lines 89-95 Link Here

(-)samba-2.2.8a.orig/source/lib/util_getent.c (-1 / +1 lines)
89	;	89	;
90		90
91	/* alloc space for gr_mem string pointers */	91	/* alloc space for gr_mem string pointers */
92	if ((gent->gr_mem = (char *) malloc((num+1) sizeof(char *))) == NULL)	92	if ((gent->gr_mem = (char *) malloc_array((num+1), sizeof(char ))) == NULL)
93	goto err;	93	goto err;
94		94
95	memset(gent->gr_mem, '\0', (num+1) * sizeof(char *));	95	memset(gent->gr_mem, '\0', (num+1) * sizeof(char *));

Lines 352-358 Link Here

(-)samba-2.2.8a.orig/source/lib/util_seaccess.c (-1 / +1 lines)
352		352
353	the_acl = parent_ctr->dacl;	353	the_acl = parent_ctr->dacl;
354		354
355	if (!(new_ace_list = talloc(ctx, sizeof(SEC_ACE) * the_acl->num_aces)))	355	if (!(new_ace_list = talloc_array(ctx, sizeof(SEC_ACE), the_acl->num_aces)))
356	return NULL;	356	return NULL;
357		357
358	for (i = 0; the_acl && i < the_acl->num_aces; i++) {	358	for (i = 0; the_acl && i < the_acl->num_aces; i++) {

Lines 785-791 Link Here

(-)samba-2.2.8a.orig/source/lib/util_sid.c (-1 / +1 lines)
785	char sid_binstring(DOM_SID sid)	785	char sid_binstring(DOM_SID sid)
786	{	786	{
787	char buf, s;	787	char buf, s;
788	int len = sid_size(sid);	788	unsigned int len = sid_size(sid);
789	buf = malloc(len);	789	buf = malloc(len);
790	if (!buf) return NULL;	790	if (!buf) return NULL;
791	sid_linearize(buf, len, sid);	791	sid_linearize(buf, len, sid);

Lines 103-109 Link Here

(-)samba-2.2.8a.orig/source/lib/util_str.c (-1 / +3 lines)
103	*ctok=ictok;	103	*ctok=ictok;
104	s=last_ptr;	104	s=last_ptr;
105		105
106	if (!(ret=iret=malloc(ictoksizeof(char )))) return NULL;	106	if (!(ret=iret=malloc_array(ictok, sizeof(char *)))) return NULL;
107		107
108	while(ictok--) {	108	while(ictok--) {
109	*iret++=s;	109	*iret++=s;
Lines 1360-1365 Link Here
1360	char *s;	1360	char *s;
1361	int i, j;	1361	int i, j;
1362	const char *hex = "0123456789ABCDEF";	1362	const char *hex = "0123456789ABCDEF";
		1363	if(len <= 0 \|\| len >= INT_MAX/3)
		1364	return NULL;
1363	s = malloc(len * 3 + 1);	1365	s = malloc(len * 3 + 1);
1364	if (!s) return NULL;	1366	if (!s) return NULL;
1365	for (j=i=0;i<len;i++) {	1367	for (j=i=0;i<len;i++) {





smb_ucs2_t *strdup_w(const smb_ucs2_t *s)
{
	size_t newlen;
	smb_ucs2_t *newstr = (smb_ucs2_t *)malloc_array((strlen_w(s)+1), sizeof(smb_ucs2_t));
	
    if (newstr == NULL)
        return NULL;
	newlen = (strlen_w(s)+1)*sizeof(smb_ucs2_t);
    safe_strcpy_w(newstr, s, newlen);
    return newstr;
}

	*ctok = ictok;
	s = last_ptr;

	if (!(ret=iret=malloc_array(ictok, sizeof(smb_ucs2_t *))))
		return NULL;
  
	while(ictok--) {

	if (l == 0)
		*dest = null_string;
	else {
		(*dest) = (smb_ucs2_t *)malloc_array(sizeof(smb_ucs2_t), (l+1));
		if ((*dest) == NULL) {
			DEBUG(0,("Out of memory in string_init_w\n"));
			return False;

Lines 263-268 Link Here

(-)samba-2.2.8a.orig/source/libsmb/clilist.c (+5 lines)
263	}	263	}
264		264
265	/* and add them to the dirlist pool */	265	/* and add them to the dirlist pool */
		266	if(dirlist_len >= UINT_MAX - data_len)
		267	{
		268	DEBUG(0,("cli_list_new: integer overflow detected.\n"));
		269	break;
		270	}
266	tdl = Realloc(dirlist,dirlist_len + data_len);	271	tdl = Realloc(dirlist,dirlist_len + data_len);
267		272
268	if (!tdl) {	273	if (!tdl) {




		goto done;
	}

	if (!((*domains) = (char **)talloc_array(mem_ctx, sizeof(char *),
					   num_sids))) {
		DEBUG(0, ("cli_lsa_lookup_sids(): out of memory\n"));
		result = NT_STATUS_UNSUCCESSFUL;
		goto done;
	}

	if (!((*names) = (char **)talloc_array(mem_ctx, sizeof(char *),
					 num_sids))) {
		DEBUG(0, ("cli_lsa_lookup_sids(): out of memory\n"));
		result = NT_STATUS_UNSUCCESSFUL;
		goto done;
	}

	if (!((*types) = (uint32 *)talloc_array(mem_ctx, sizeof(uint32),
					  num_sids))) {
		DEBUG(0, ("cli_lsa_lookup_sids(): out of memory\n"));
		result = NT_STATUS_UNSUCCESSFUL;

		goto done;
	}

	if (!((*sids = (DOM_SID *)talloc_array(mem_ctx, sizeof(DOM_SID),
					 num_names)))) {
		DEBUG(0, ("cli_lsa_lookup_sids(): out of memory\n"));
		result = NT_STATUS_UNSUCCESSFUL;
		goto done;
	}

	if (!((*types = (uint32 *)talloc_array(mem_ctx, sizeof(uint32),
					 num_names)))) {
		DEBUG(0, ("cli_lsa_lookup_sids(): out of memory\n"));
		result = NT_STATUS_UNSUCCESSFUL;


		/* Allocate memory for trusted domain names and sids */

		*domain_names = (char **)talloc_array(mem_ctx, sizeof(char *),
						r.num_domains);

		if (!*domain_names) {

			goto done;
		}

		*domain_sids = (DOM_SID *)talloc_array(mem_ctx, sizeof(DOM_SID),
						 r.num_domains);
		if (!domain_sids) {
			DEBUG(0, ("cli_lsa_enum_trust_dom(): out of memory\n"));

	*enum_context = r.enum_context;
	*count = r.count;

	if (!((*privs_name = (char **)talloc_array(mem_ctx, sizeof(char *), r.count)))) {
		DEBUG(0, ("(cli_lsa_enum_privilege): out of memory\n"));
		result = NT_STATUS_UNSUCCESSFUL;
		goto done;
	}

	if (!((*privs_high = (uint32 *)talloc_array(mem_ctx, sizeof(uint32), r.count)))) {
		DEBUG(0, ("(cli_lsa_enum_privilege): out of memory\n"));
		result = NT_STATUS_UNSUCCESSFUL;
		goto done;
	}

	if (!((*privs_low = (uint32 *)talloc_array(mem_ctx, sizeof(uint32), r.count)))) {
		DEBUG(0, ("(cli_lsa_enum_privilege): out of memory\n"));
		result = NT_STATUS_UNSUCCESSFUL;
		goto done;


	/* Return output parameters */

	*sids = (DOM_SID *)talloc_array(mem_ctx, sizeof(DOM_SID), r.sids.num_entries);
	if (!*sids) {
		DEBUG(0, ("(cli_lsa_enum_sids): out of memory\n"));
		result = NT_STATUS_UNSUCCESSFUL;

	if (r.count == 0)
		goto done;

	if (!((*set = (LUID_ATTR *)talloc_array(mem_ctx, sizeof(LUID_ATTR), r.count)))) {
		DEBUG(0, ("(cli_lsa_enum_privsaccount): out of memory\n"));
		result = NT_STATUS_UNSUCCESSFUL;
		goto done;

Lines 241-246 Link Here

(-)samba-2.2.8a.orig/source/libsmb/clireadwrite.c (+2 lines)
241	BOOL bigoffset = False;	241	BOOL bigoffset = False;
242		242
243	if (size > cli->bufsize) {	243	if (size > cli->bufsize) {
		244	if(size >= (UINT_MAX-1024))
		245	return False;
244	cli->outbuf = realloc(cli->outbuf, size + 1024);	246	cli->outbuf = realloc(cli->outbuf, size + 1024);
245	cli->inbuf = realloc(cli->inbuf, size + 1024);	247	cli->inbuf = realloc(cli->inbuf, size + 1024);
246	if (cli->outbuf == NULL \|\| cli->inbuf == NULL)	248	if (cli->outbuf == NULL \|\| cli->inbuf == NULL)




	*num_dom_groups = r.num_entries2;

	if (!((*dom_groups) = (struct acct_info *)
	      talloc_array(mem_ctx, sizeof(struct acct_info), *num_dom_groups))) {
		result = NT_STATUS_UNSUCCESSFUL;
		goto done;
	}

	*num_dom_groups = r.num_entries2;

	if (!((*dom_groups) = (struct acct_info *)
	      talloc_array(mem_ctx, sizeof(struct acct_info), *num_dom_groups))) {
		result = NT_STATUS_UNSUCCESSFUL;
		goto done;
	}


	*num_mem = r.num_sids;

	if (!(*sids = talloc_array(mem_ctx, sizeof(DOM_SID), *num_mem))) {
		result = NT_STATUS_UNSUCCESSFUL;
		goto done;
	}

	}

	*num_names = r.num_names1;
	*names = talloc_array(mem_ctx, sizeof(char *), r.num_names1);
	*name_types = talloc_array(mem_ctx, sizeof(uint32), r.num_names1);

	for (i = 0; i < r.num_names1; i++) {
		fstring tmp;

	}

	*num_rids = r.num_rids1;
	*rids = talloc_array(mem_ctx, sizeof(uint32), r.num_rids1);
	*rid_types = talloc_array(mem_ctx, sizeof(uint32), r.num_rids1);

	for (i = 0; i < r.num_rids1; i++) {
		(*rids)[i] = r.rids[i];




        uint32 i;
        PRINTER_INFO_0  *inf;

        inf=(PRINTER_INFO_0 *)talloc_array(mem_ctx, returned, sizeof(PRINTER_INFO_0));

        buffer->prs.data_offset=0;


        uint32 i;
        PRINTER_INFO_1  *inf;

        inf=(PRINTER_INFO_1 *)talloc_array(mem_ctx, returned, sizeof(PRINTER_INFO_1));

        buffer->prs.data_offset=0;


        uint32 i;
        PRINTER_INFO_2  *inf;

        inf=(PRINTER_INFO_2 *)talloc_array(mem_ctx, returned, sizeof(PRINTER_INFO_2));

        buffer->prs.data_offset=0;


        uint32 i;
        PRINTER_INFO_3  *inf;

        inf=(PRINTER_INFO_3 *)talloc_array(mem_ctx, returned, sizeof(PRINTER_INFO_3));

        buffer->prs.data_offset=0;


        uint32 i;
        PORT_INFO_1 *inf;

        inf=(PORT_INFO_1*)talloc_array(mem_ctx, returned, sizeof(PORT_INFO_1));

        prs_set_offset(&buffer->prs, 0);


        uint32 i;
        PORT_INFO_2 *inf;

        inf=(PORT_INFO_2*)talloc_array(mem_ctx, returned, sizeof(PORT_INFO_2));

        prs_set_offset(&buffer->prs, 0);


        uint32 i;
        DRIVER_INFO_1 *inf;

        inf=(DRIVER_INFO_1 *)talloc_array(mem_ctx, returned, sizeof(DRIVER_INFO_1));

        buffer->prs.data_offset=0;


        uint32 i;
        DRIVER_INFO_2 *inf;

        inf=(DRIVER_INFO_2 *)talloc_array(mem_ctx, returned, sizeof(DRIVER_INFO_2));

        buffer->prs.data_offset=0;


        uint32 i;
        DRIVER_INFO_3 *inf;

        inf=(DRIVER_INFO_3 *)talloc_array(mem_ctx, returned, sizeof(DRIVER_INFO_3));

        buffer->prs.data_offset=0;


{
	int i;

	*forms = (FORM_1 *)talloc_array(mem_ctx, num_forms, sizeof(FORM_1));
	buffer->prs.data_offset = 0;

	for (i = 0; i < num_forms; i++)

Lines 585-591 Link Here

(-)samba-2.2.8a.orig/source/libsmb/libsmbclient.c (-2 / +2 lines)
585		585
586	#endif	586	#endif
587		587
588	smbc_file_table = malloc(SMBC_MAX_FD * sizeof(struct smbc_file *));	588	smbc_file_table = malloc_array(SMBC_MAX_FD, sizeof(struct smbc_file *));
589	if (!smbc_file_table)	589	if (!smbc_file_table)
590	return ENOMEM;	590	return ENOMEM;
591		591
Lines 645-651 Link Here
645	}	645	}
646	else {	646	else {
647		647
648	int slot = 0;	648	unsigned int slot = 0;
649		649
650	/* Find a free slot first */	650	/* Find a free slot first */
651		651

Lines 224-231 Link Here

(-)samba-2.2.8a.orig/source/libsmb/namecache.c (-2 / +2 lines)
224		224
225	if (data->count) {	225	if (data->count) {
226		226
227	ip_list = (struct in_addr )malloc(	227	ip_list = (struct in_addr )malloc_array(
228	sizeof(struct in_addr) * data->count);	228	sizeof(struct in_addr), data->count);
229		229
230	memcpy(ip_list, data->ip_list, sizeof(struct in_addr) data->count);	230	memcpy(ip_list, data->ip_list, sizeof(struct in_addr) data->count);
231		231

Lines 54-60 Link Here

(-)samba-2.2.8a.orig/source/libsmb/namequery.c (-5 / +22 lines)
54		54
55	if (*num_names == 0) return NULL;	55	if (*num_names == 0) return NULL;
56		56
57	ret = (struct node_status )malloc(sizeof(struct node_status) (*num_names));	57	ret = (struct node_status )malloc_array(sizeof(struct node_status), (num_names));
58	if (!ret) return NULL;	58	if (!ret) return NULL;
59		59
60	p++;	60	p++;
Lines 406-412 Link Here
406	free_packet(p2);	406	free_packet(p2);
407	continue;	407	continue;
408	}	408	}
409		409	if(
		410	nmb2->answers->rdlength >= INT_MAX/6 \|\|
		411	(*count) >= INT_MAX-(nmb2->answers->rdlength/6) \|\|
		412	sizeof( ip_list[0] ) >= UINT_MAX/( (*count) + nmb2->answers->rdlength/6 )
		413	)
		414	{
		415	DEBUG(0,("name_query: integer overflow detected.\n"));
		416	free_packet(p2);
		417	return NULL;
		418	}
410	tmp_ip_list = (struct in_addr *)Realloc( ip_list, sizeof( ip_list[0] )	419	tmp_ip_list = (struct in_addr *)Realloc( ip_list, sizeof( ip_list[0] )
411	* ( (*count) + nmb2->answers->rdlength/6 ) );	420	* ( (*count) + nmb2->answers->rdlength/6 ) );
412		421
Lines 812-818 Link Here
812	int i = 0, j;	821	int i = 0, j;
813	while (hp->h_addr_list[i]) i++;	822	while (hp->h_addr_list[i]) i++;
814	DEBUG(10, ("%d addresses returned\n", i));	823	DEBUG(10, ("%d addresses returned\n", i));
815	return_iplist = (struct in_addr )malloc(i*sizeof(struct in_addr));	824	return_iplist = (struct in_addr )malloc_array(i, sizeof(struct in_addr));
816	if(*return_iplist == NULL) {	825	if(*return_iplist == NULL) {
817	DEBUG(3,("resolve_hosts: malloc fail !\n"));	826	DEBUG(3,("resolve_hosts: malloc fail !\n"));
818	return False;	827	return False;
Lines 920-926 Link Here
920	the iplist when the PDC is down will cause two sets of timeouts. */	929	the iplist when the PDC is down will cause two sets of timeouts. */
921		930
922	if (*return_count && (nodupes_iplist =	931	if (*return_count && (nodupes_iplist =
923	(struct in_addr )malloc(sizeof(struct in_addr) (*return_count)))) {	932	(struct in_addr )malloc_array(sizeof(struct in_addr), (return_count)))) {
924	int nodupes_count = 0;	933	int nodupes_count = 0;
925		934
926	/* Iterate over return_iplist looking for duplicates */	935	/* Iterate over return_iplist looking for duplicates */
Lines 1327-1333 Link Here
1327	if (num_addresses == 0)	1336	if (num_addresses == 0)
1328	return internal_resolve_name(group, name_type, ip_list, count);	1337	return internal_resolve_name(group, name_type, ip_list, count);
1329		1338
1330	return_iplist = (struct in_addr )malloc(num_addresses sizeof(struct in_addr));	1339	return_iplist = (struct in_addr *)malloc_array(num_addresses, sizeof(struct in_addr));
1331	if(return_iplist == NULL) {	1340	if(return_iplist == NULL) {
1332	DEBUG(3,("get_dc_list: malloc fail !\n"));	1341	DEBUG(3,("get_dc_list: malloc fail !\n"));
1333	return False;	1342	return False;
Lines 1339-1344 Link Here
1339	int count_more;	1348	int count_more;
1340	if (resolve_name_2( name, &more_ip, &count_more, 0x20) == False)	1349	if (resolve_name_2( name, &more_ip, &count_more, 0x20) == False)
1341	continue;	1350	continue;
		1351
		1352	if(num_addresses >= INT_MAX-count_more \|\| (num_addresses + count_more) >= INT_MAX/sizeof(struct in_addr))
		1353	{
		1354	DEBUG(0,("get_dc_list: integer overflow detected.\n"));
		1355	SAFE_FREE(return_iplist);
		1356	SAFE_FREE(more_ip);
		1357	return False;
		1358	}
1342	tmp = (struct in_addr )realloc(return_iplist,(num_addresses + count_more) sizeof(struct in_addr));	1359	tmp = (struct in_addr )realloc(return_iplist,(num_addresses + count_more) sizeof(struct in_addr));
1343	if (return_iplist == NULL) {	1360	if (return_iplist == NULL) {
1344	DEBUG(3, ("realloc failed with %d addresses\n", num_addresses + count_more));	1361	DEBUG(3, ("realloc failed with %d addresses\n", num_addresses + count_more));




				struct res_rec **recs, int count)
{
  int i;
  *recs = (struct res_rec *)malloc_array(sizeof(**recs), count);
  if (!*recs) return(False);

  memset((char *)*recs,'\0',sizeof(**recs)*count);

  if (nmb->answers)
  {
    if((copy_nmb->answers = (struct res_rec *)
                  malloc_array(nmb->header.ancount, sizeof(struct res_rec))) == NULL)
      goto free_and_exit;
    memcpy((char *)copy_nmb->answers, (char *)nmb->answers, 
           nmb->header.ancount * sizeof(struct res_rec));

  if (nmb->nsrecs)
  {
    if((copy_nmb->nsrecs = (struct res_rec *)
                  malloc_array(nmb->header.nscount, sizeof(struct res_rec))) == NULL)
      goto free_and_exit;
    memcpy((char *)copy_nmb->nsrecs, (char *)nmb->nsrecs, 
           nmb->header.nscount * sizeof(struct res_rec));

  if (nmb->additional)
  {
    if((copy_nmb->additional = (struct res_rec *)
                  malloc_array(nmb->header.arcount, sizeof(struct res_rec))) == NULL)
      goto free_and_exit;
    memcpy((char *)copy_nmb->additional, (char *)nmb->additional, 
           nmb->header.arcount * sizeof(struct res_rec));

Lines 355-360 Link Here

(-)samba-2.2.8a.orig/source/locking/brlock.c (+5 lines)
355	}	355	}
356		356
357	/* no conflicts - add it to the list of locks */	357	/* no conflicts - add it to the list of locks */
		358	if(dbuf.dsize >= UINT_MAX-sizeof(*locks))
		359	{
		360	DEBUG(0,("brl_lock: integer overflow detected.\n"));
		361	goto fail;
		362	}
358	tp = Realloc(dbuf.dptr, dbuf.dsize + sizeof(*locks));	363	tp = Realloc(dbuf.dptr, dbuf.dsize + sizeof(*locks));
359	if (!tp) {	364	if (!tp) {
360	status = NT_STATUS_NO_MEMORY;	365	status = NT_STATUS_NO_MEMORY;

Lines 370-375 Link Here

(-)samba-2.2.8a.orig/source/locking/posix.c (+5 lines)
370	pl.size = size;	370	pl.size = size;
371	pl.lock_type = lock_type;	371	pl.lock_type = lock_type;
372		372
		373	if(dbuf.dsize >= UINT_MAX - sizeof(pl))
		374	{
		375	DEBUG(0,("add_posix_lock_entry: integer overflow detected.\n"));
		376	goto fail;
		377	}
373	tp = Realloc(dbuf.dptr, dbuf.dsize + sizeof(pl));	378	tp = Realloc(dbuf.dptr, dbuf.dsize + sizeof(pl));
374	if (!tp) {	379	if (!tp) {
375	DEBUG(0,("add_posix_lock_entry: Realloc fail !\n"));	380	DEBUG(0,("add_posix_lock_entry: Realloc fail !\n"));

Lines 128-134 Link Here

(-)samba-2.2.8a.orig/source/msdfs/msdfs.c (-1 / +1 lines)
128		128
129	DEBUG(10,("parse_symlink: count=%d\n", count));	129	DEBUG(10,("parse_symlink: count=%d\n", count));
130		130
131	reflist = preflist = (struct referral) malloc(count * sizeof(struct referral));	131	reflist = preflist = (struct referral) malloc_array(count, sizeof(struct referral));
132	if(reflist == NULL) {	132	if(reflist == NULL) {
133	DEBUG(0,("parse_symlink: Malloc failed!\n"));	133	DEBUG(0,("parse_symlink: Malloc failed!\n"));
134	return False;	134	return False;

Lines 293-299 Link Here

(-)samba-2.2.8a.orig/source/nmbd/nmbd_browsesync.c (-1 / +1 lines)
293	struct work_record *work;	293	struct work_record *work;
294	struct nmb_name nmbname;	294	struct nmb_name nmbname;
295	struct userdata_struct *userdata;	295	struct userdata_struct *userdata;
296	int size = sizeof(struct userdata_struct) + sizeof(fstring)+1;	296	size_t size = sizeof(struct userdata_struct) + sizeof(fstring)+1;
297		297
298	if( !(work = find_workgroup_on_subnet(subrec, q_name->name)) )	298	if( !(work = find_workgroup_on_subnet(subrec, q_name->name)) )
299	{	299	{

Lines 585-591 Link Here

(-)samba-2.2.8a.orig/source/nmbd/nmbd.c (-1 / +1 lines)
585	namecount++;	585	namecount++;
586		586
587	/* Allocate space for the netbios aliases */	587	/* Allocate space for the netbios aliases */
588	my_netbios_names = (char *)malloc( sizeof(char ) * (namecount+1) );	588	my_netbios_names = (char *)malloc_array( sizeof(char ), (namecount+1) );
589	if( NULL == my_netbios_names )	589	if( NULL == my_netbios_names )
590	{	590	{
591	DEBUG( 0, ( "init_structs: malloc fail.\n" ) );	591	DEBUG( 0, ( "init_structs: malloc fail.\n" ) );

Lines 558-564 Link Here

(-)samba-2.2.8a.orig/source/nmbd/nmbd_incomingrequests.c (-1 / +1 lines)
558	prdata = rdata;	558	prdata = rdata;
559	else	559	else
560	{	560	{
561	if((prdata = (char )malloc( namerec->data.num_ips 6 )) == NULL)	561	if((prdata = (char *)malloc_array( namerec->data.num_ips, 6 )) == NULL)
562	{	562	{
563	DEBUG(0,("process_name_query_request: malloc fail !\n"));	563	DEBUG(0,("process_name_query_request: malloc fail !\n"));
564	goto done;	564	goto done;




  }

  memset( (char *)namerec, '\0', sizeof(*namerec) );
  namerec->data.ip = (struct in_addr *)malloc_array( sizeof(struct in_addr), 
                                               num_ips );
  if( NULL == namerec->data.ip )
  {
     DEBUG( 0, ( "add_name_to_subnet: malloc fail when creating ip_flgs.\n" ) );

  if( find_ip_in_name_record( namerec, new_ip ) )
    return;
  
  new_list = (struct in_addr *)malloc_array( (namerec->data.num_ips + 1),
                                       sizeof(struct in_addr) );
  if( NULL == new_list )
  {
    DEBUG(0,("add_ip_to_name_record: Malloc fail !\n"));

    /* Create an IP list containing all our known subnets. */

    num_ips = iface_count();
    iplist = (struct in_addr *)malloc_array( num_ips, sizeof(struct in_addr) );
    if( NULL == iplist )
    {
      DEBUG(0,("add_samba_names_to_subnet: Malloc fail !\n"));

Lines 276-282 Link Here

(-)samba-2.2.8a.orig/source/nmbd/nmbd_nameregister.c (-1 / +1 lines)
276	for(subrec = FIRST_SUBNET; subrec; subrec = NEXT_SUBNET_EXCLUDING_UNICAST(subrec) )	276	for(subrec = FIRST_SUBNET; subrec; subrec = NEXT_SUBNET_EXCLUDING_UNICAST(subrec) )
277	num_ips++;	277	num_ips++;
278		278
279	if((ip_list = (struct in_addr )malloc(num_ips sizeof(struct in_addr)))==NULL)	279	if((ip_list = (struct in_addr *)malloc_array(num_ips, sizeof(struct in_addr)))==NULL)
280	{	280	{
281	DEBUG(0,("multihomed_register_name: malloc fail !\n"));	281	DEBUG(0,("multihomed_register_name: malloc fail !\n"));
282	return True;	282	return True;

Lines 1724-1730 Link Here

(-)samba-2.2.8a.orig/source/nmbd/nmbd_packets.c (-1 / +6 lines)
1724	return True;	1724	return True;
1725	}	1725	}
1726		1726
1727	if((sock_array = (int )malloc(((count2) + 2)*sizeof(int))) == NULL)	1727	if(count >= (UINT_MAX/2)-2)
		1728	{
		1729	DEBUG(0,("create_listen_fdset: integer overflow detected.\n"));
		1730	return True;
		1731	}
		1732	if((sock_array = (int )malloc_array(((count2) + 2), sizeof(int))) == NULL)
1728	{	1733	{
1729	DEBUG(0,("create_listen_fdset: malloc fail for socket array.\n"));	1734	DEBUG(0,("create_listen_fdset: malloc fail for socket array.\n"));
1730	return True;	1735	return True;

Lines 61-67 Link Here

(-)samba-2.2.8a.orig/source/nmbd/nmbd_winsproxy.c (-1 / +1 lines)
61	iplist = &ip;	61	iplist = &ip;
62	else	62	else
63	{	63	{
64	if((iplist = (struct in_addr )malloc( num_ips sizeof(struct in_addr) )) == NULL)	64	if((iplist = (struct in_addr *)malloc_array( num_ips, sizeof(struct in_addr) )) == NULL)
65	{	65	{
66	DEBUG(0,("wins_proxy_name_query_request_success: malloc fail !\n"));	66	DEBUG(0,("wins_proxy_name_query_request_success: malloc fail !\n"));
67	return;	67	return;




    }

    /* Allocate the space for the ip_list. */
    if((ip_list = (struct in_addr *)malloc_array( num_ips, sizeof(struct in_addr))) == NULL)
    {
      DEBUG(0,("initialise_wins: Malloc fail !\n"));
      return False;

    return;
  }

  if((prdata = (char *)malloc_array( num_ips, 6 )) == NULL)
  {
    DEBUG(0,("process_wins_dmb_query_request: Malloc fail !.\n"));
    return;

      prdata = rdata;
    else
    {
      if((prdata = (char *)malloc_array( namerec->data.num_ips, 6 )) == NULL)
      {
        DEBUG(0,("send_wins_name_query_response: malloc fail !\n"));
        return;

Lines 294-300 Link Here

(-)samba-2.2.8a.orig/source/nsswitch/wb_common.c (-1 / +2 lines)
294	sizeof(struct winbindd_response);	294	sizeof(struct winbindd_response);
295		295
296	/* Mallocate memory for extra data */	296	/* Mallocate memory for extra data */
297		297	if(extra_data_len <= 0)
		298	return -1;
298	if (!(response->extra_data = malloc(extra_data_len))) {	299	if (!(response->extra_data = malloc(extra_data_len))) {
299	return -1;	300	return -1;
300	}	301	}

Lines 321-326 Link Here

(-)samba-2.2.8a.orig/source/nsswitch/winbindd_cache.c (-6 / +11 lines)
321	{	321	{
322	uint8 *p;	322	uint8 *p;
323	if (centry->len - centry->ofs >= len) return;	323	if (centry->len - centry->ofs >= len) return;
		324	if(centry->len >= INT_MAX/2)
		325	{
		326	DEBUG(0,("centry_expand: integer overflow detected.\n"));
		327	return;
		328	}
324	centry->len *= 2;	329	centry->len *= 2;
325	p = realloc(centry->data, centry->len);	330	p = realloc(centry->data, centry->len);
326	if (!p) {	331	if (!p) {
Lines 499-505 Link Here
499		504
500	if (*num_entries == 0) goto do_cached;	505	if (*num_entries == 0) goto do_cached;
501		506
502	(info) = talloc(mem_ctx, sizeof(info) (*num_entries));	507	(info) = talloc_array(mem_ctx, sizeof(info), (num_entries));
503	if (! (*info)) smb_panic("query_user_list out of memory");	508	if (! (*info)) smb_panic("query_user_list out of memory");
504	for (i=0; i<(*num_entries); i++) {	509	for (i=0; i<(*num_entries); i++) {
505	(*info)[i].acct_name = centry_string(centry, mem_ctx);	510	(*info)[i].acct_name = centry_string(centry, mem_ctx);
Lines 585-591 Link Here
585		590
586	if (*num_entries == 0) goto do_cached;	591	if (*num_entries == 0) goto do_cached;
587		592
588	(info) = talloc(mem_ctx, sizeof(info) (*num_entries));	593	(info) = talloc_array(mem_ctx, sizeof(info), (num_entries));
589	if (! (*info)) smb_panic("enum_dom_groups out of memory");	594	if (! (*info)) smb_panic("enum_dom_groups out of memory");
590	for (i=0; i<(*num_entries); i++) {	595	for (i=0; i<(*num_entries); i++) {
591	fstrcpy((*info)[i].acct_name, centry_string(centry, mem_ctx));	596	fstrcpy((*info)[i].acct_name, centry_string(centry, mem_ctx));
Lines 794-800 Link Here
794		799
795	if (*num_groups == 0) goto do_cached;	800	if (*num_groups == 0) goto do_cached;
796		801
797	(user_gids) = talloc(mem_ctx, sizeof(user_gids) (*num_groups));	802	(user_gids) = talloc_array(mem_ctx, sizeof(user_gids), (num_groups));
798	if (! (*user_gids)) smb_panic("lookup_usergroups out of memory");	803	if (! (*user_gids)) smb_panic("lookup_usergroups out of memory");
799	for (i=0; i<(*num_groups); i++) {	804	for (i=0; i<(*num_groups); i++) {
800	(*user_gids)[i] = centry_uint32(centry);	805	(*user_gids)[i] = centry_uint32(centry);
Lines 852-860 Link Here
852		857
853	if (*num_names == 0) goto do_cached;	858	if (*num_names == 0) goto do_cached;
854		859
855	(rid_mem) = talloc(mem_ctx, sizeof(rid_mem) (*num_names));	860	(rid_mem) = talloc_array(mem_ctx, sizeof(rid_mem), (num_names));
856	(names) = talloc(mem_ctx, sizeof(names) (*num_names));	861	(names) = talloc_array(mem_ctx, sizeof(names), (num_names));
857	(name_types) = talloc(mem_ctx, sizeof(name_types) (*num_names));	862	(name_types) = talloc_array(mem_ctx, sizeof(name_types), (num_names));
858		863
859	if (! (rid_mem) \|\| ! (names) \|\| ! (*name_types)) {	864	if (! (rid_mem) \|\| ! (names) \|\| ! (*name_types)) {
860	smb_panic("lookup_groupmem out of memory");	865	smb_panic("lookup_groupmem out of memory");




	/* Copy entries into return buffer */

	if (num_entries) {
		name_list = malloc_array(sizeof(struct acct_info), num_entries);
		memcpy(name_list, sam_grp_entries, 
		       num_entries * sizeof(struct acct_info));
	}

	num_groups = MIN(MAX_GETGRENT_GROUPS, state->request.data.num_entries);

	if ((state->response.extra_data = 
	     malloc_array(num_groups, sizeof(struct winbindd_gr))) == NULL)
		return WINBINDD_ERROR;

	state->response.data.num_entries = 0;

	/* Copy data back to client */

	num_gids = 0;
	gid_list = malloc_array(sizeof(gid_t), num_groups);

	if (state->response.extra_data)
		goto done;

Lines 108-113 Link Here

(-)samba-2.2.8a.orig/source/nsswitch/winbindd_misc.c (+6 lines)
108	/* Add domain to list */	108	/* Add domain to list */
109		109
110	total_entries++;	110	total_entries++;
		111	if(sizeof(fstring) >= UINT_MAX/total_entries)
		112	{
		113	DEBUG(0,("winbindd_list_domains: integer overflow detected.\n"));
		114	SAFE_FREE(extra_data);
		115	return WINBINDD_ERROR;
		116	}
111	ted = Realloc(extra_data, sizeof(fstring) *	117	ted = Realloc(extra_data, sizeof(fstring) *
112	total_entries);	118	total_entries);
113		119




			talloc_destroy(mem_ctx2);
			break;
		}
		if(
			(*num_entries) >= INT_MAX-count ||
			sizeof(**info) >= INT_MAX/(*num_entries)
		)
		{
			DEBUG(0,("enum_dom_groups: integer overflow detected.\n"));
			talloc_destroy(mem_ctx2);
			cli_samr_close(hnd->cli, mem_ctx, &dom_pol);
			return NT_STATUS_NO_MEMORY;
		}
		(*info) = talloc_realloc(mem_ctx, *info, 
					 sizeof(**info) * ((*num_entries) + count));
		if (! *info) {


#define MAX_LOOKUP_RIDS 900

        *names = talloc_zero_array(mem_ctx, *num_names, sizeof(char *));
        *name_types = talloc_zero_array(mem_ctx, *num_names, sizeof(uint32));

        for (i = 0; i < *num_names; i += MAX_LOOKUP_RIDS) {
                int num_lookup_rids = MIN(*num_names - i, MAX_LOOKUP_RIDS);

Lines 438-444 Link Here

(-)samba-2.2.8a.orig/source/nsswitch/winbindd_user.c (-2 / +7 lines)
438	num_users = MIN(MAX_GETPWENT_USERS, state->request.data.num_entries);	438	num_users = MIN(MAX_GETPWENT_USERS, state->request.data.num_entries);
439		439
440	if ((state->response.extra_data =	440	if ((state->response.extra_data =
441	malloc(num_users * sizeof(struct winbindd_pw))) == NULL)	441	malloc_array(num_users, sizeof(struct winbindd_pw))) == NULL)
442	return WINBINDD_ERROR;	442	return WINBINDD_ERROR;
443		443
444	memset(state->response.extra_data, 0, num_users *	444	memset(state->response.extra_data, 0, num_users *
Lines 601-607 Link Here
601	/* Allocate some memory for extra data */	601	/* Allocate some memory for extra data */
602		602
603	total_entries += num_entries;	603	total_entries += num_entries;
604		604	if(sizeof(fstring) >= UINT_MAX/total_entries)
		605	{
		606	DEBUG(0,("winbindd_list_users: integer overflow detected.\n"));
		607	SAFE_FREE(extra_data);
		608	goto done;
		609	}
605	ted = Realloc(extra_data, sizeof(fstring) * total_entries);	610	ted = Realloc(extra_data, sizeof(fstring) * total_entries);
606		611
607	if (!ted) {	612	if (!ted) {

Lines 1307-1313 Link Here

(-)samba-2.2.8a.orig/source/nsswitch/winbind_nss.c (-1 / +1 lines)
1307	if (gid_list[i] == group) continue;	1307	if (gid_list[i] == group) continue;
1308		1308
1309	/* Add to buffer */	1309	/* Add to buffer */
1310		1310	// XXX thomas: realloc arg needs constraints */
1311	if (start == size && limit <= 0) {	1311	if (start == size && limit <= 0) {
1312	(*groups) = realloc(	1312	(*groups) = realloc(
1313	(groups), (2 (size) + 1) sizeof(**groups));	1313	(groups), (2 (size) + 1) sizeof(**groups));

Lines 238-244 Link Here

(-)samba-2.2.8a.orig/source/pam_smbpass/support.c (-1 / +1 lines)
238	if (x != NULL) {	238	if (x != NULL) {
239	register int i;	239	register int i;
240		240
241	for (i = 0; x[i]; ++i); /* length of string */	241	for (i = 0; x[i] && i < INT_MAX; ++i); /* length of string */
242	if ((new = malloc(++i)) == NULL) {	242	if ((new = malloc(++i)) == NULL) {
243	i = 0;	243	i = 0;
244	_log_err( LOG_CRIT, "out of memory in smbpXstrDup" );	244	_log_err( LOG_CRIT, "out of memory in smbpXstrDup" );

Lines 1924-1930 Link Here

(-)samba-2.2.8a.orig/source/param/loadparm.c (-2 / +2 lines)
1924	service **tsp;	1924	service **tsp;
1925		1925
1926	#ifdef __INSURE__	1926	#ifdef __INSURE__
1927	service *oldservices = iNumServices ? malloc(sizeof(service ) * iNumServices) : NULL;	1927	service *oldservices = iNumServices ? malloc_array(sizeof(service ), iNumServices) : NULL;
1928		1928
1929	if (iNumServices)	1929	if (iNumServices)
1930	memcpy(oldservices, ServicePtrs, sizeof(service ) iNumServices);	1930	memcpy(oldservices, ServicePtrs, sizeof(service ) iNumServices);
Lines 2744-2750 Link Here
2744	{	2744	{
2745	int i;	2745	int i;
2746	SAFE_FREE(pservice->copymap);	2746	SAFE_FREE(pservice->copymap);
2747	pservice->copymap = (BOOL )malloc(sizeof(BOOL) NUMPARAMETERS);	2747	pservice->copymap = (BOOL *)malloc_array(sizeof(BOOL), NUMPARAMETERS);
2748	if (!pservice->copymap)	2748	if (!pservice->copymap)
2749	DEBUG(0,	2749	DEBUG(0,
2750	("Couldn't allocate copymap!! (size %d)\n",	2750	("Couldn't allocate copymap!! (size %d)\n",

Lines 126-132 Link Here

(-)samba-2.2.8a.orig/source/passdb/pampass.c (-2 / +2 lines)
126	return PAM_CONV_ERR;	126	return PAM_CONV_ERR;
127	}	127	}
128		128
129	reply = malloc(sizeof(struct pam_response) * num_msg);	129	reply = malloc_array(sizeof(struct pam_response), num_msg);
130	if (!reply)	130	if (!reply)
131	return PAM_CONV_ERR;	131	return PAM_CONV_ERR;
132		132
Lines 286-292 Link Here
286	return PAM_CONV_ERR;	286	return PAM_CONV_ERR;
287	}	287	}
288		288
289	reply = malloc(sizeof(struct pam_response) * num_msg);	289	reply = malloc_array(sizeof(struct pam_response), num_msg);
290	if (!reply) {	290	if (!reply) {
291	DEBUG(0,("smb_pam_passchange_conv: malloc for reply failed!\n"));	291	DEBUG(0,("smb_pam_passchange_conv: malloc for reply failed!\n"));
292	free_pw_chat(pw_chat);	292	free_pw_chat(pw_chat);

Lines 1614-1620 Link Here

(-)samba-2.2.8a.orig/source/passdb/passdb.c (-2 / +2 lines)
1614	if (sampass->nt_pw!=NULL)	1614	if (sampass->nt_pw!=NULL)
1615	DEBUG(4,("pdb_set_nt_passwd: NT hash non NULL overwritting ?\n"));	1615	DEBUG(4,("pdb_set_nt_passwd: NT hash non NULL overwritting ?\n"));
1616	else	1616	else
1617	sampass->nt_pw=(unsigned char )malloc(sizeof(unsigned char)16);	1617	sampass->nt_pw=(unsigned char *)malloc_array(sizeof(unsigned char), 16);
1618		1618
1619	if (sampass->nt_pw==NULL)	1619	if (sampass->nt_pw==NULL)
1620	return False;	1620	return False;
Lines 1645-1651 Link Here
1645	if (sampass->lm_pw!=NULL)	1645	if (sampass->lm_pw!=NULL)
1646	DEBUG(4,("pdb_set_lanman_passwd: LM hash non NULL overwritting ?\n"));	1646	DEBUG(4,("pdb_set_lanman_passwd: LM hash non NULL overwritting ?\n"));
1647	else	1647	else
1648	sampass->lm_pw=(unsigned char )malloc(sizeof(unsigned char)16);	1648	sampass->lm_pw=(unsigned char *)malloc_array(sizeof(unsigned char), 16);
1649		1649
1650	if (sampass->lm_pw==NULL)	1650	if (sampass->lm_pw==NULL)
1651	return False;	1651	return False;

Lines 480-485 Link Here

(-)samba-2.2.8a.orig/source/passdb/pdb_ldap.c (+10 lines)
480		480
481	if (mods[i] == NULL)	481	if (mods[i] == NULL)
482	{	482	{
		483	if((i+2) >= INT_MAX/sizeof (LDAPMod *))
		484	{
		485	DEBUG(0,("make_a_mod: integer overflow detected.\n"));
		486	return;
		487	}
483	mods = (LDAPMod *) Realloc (mods, (i + 2) sizeof (LDAPMod *));	488	mods = (LDAPMod *) Realloc (mods, (i + 2) sizeof (LDAPMod *));
484	if (mods == NULL)	489	if (mods == NULL)
485	{	490	{
Lines 504-509 Link Here
504	if (mods[i]->mod_values != NULL) {	509	if (mods[i]->mod_values != NULL) {
505	for (; mods[i]->mod_values[j] != NULL; j++);	510	for (; mods[i]->mod_values[j] != NULL; j++);
506	}	511	}
		512	if((j+2) >= INT_MAX/sizeof(char *))
		513	{
		514	DEBUG(0,("make_a_mod: integer overflow detected.\n"));
		515	return;
		516	}
507	mods[i]->mod_values = (char **)Realloc(mods[i]->mod_values,	517	mods[i]->mod_values = (char **)Realloc(mods[i]->mod_values,
508	(j + 2) * sizeof (char *));	518	(j + 2) * sizeof (char *));
509		519

Lines 1244-1250 Link Here

(-)samba-2.2.8a.orig/source/passdb/pdb_nisplus.c (-2 / +2 lines)
1244		1244
1245	ta_maxcol = obj->TA_data.ta_maxcol;	1245	ta_maxcol = obj->TA_data.ta_maxcol;
1246		1246
1247	if(!(ecol = (entry_col)malloc(ta_maxcolsizeof(entry_col)))) {	1247	if(!(ecol = (entry_col*)malloc_array(ta_maxcol, sizeof(entry_col)))) {
1248	DEBUG(0, ("memory allocation failure\n"));	1248	DEBUG(0, ("memory allocation failure\n"));
1249	nis_freeresult(tblresult);	1249	nis_freeresult(tblresult);
1250	return False;	1250	return False;
Lines 1326-1332 Link Here
1326	memmove((char *)&new_obj, obj, sizeof (new_obj));	1326	memmove((char *)&new_obj, obj, sizeof (new_obj));
1327	ta_maxcol = obj->TA_data.ta_maxcol;	1327	ta_maxcol = obj->TA_data.ta_maxcol;
1328		1328
1329	if(!(ecol = (entry_col)malloc(ta_maxcolsizeof(entry_col)))) {	1329	if(!(ecol = (entry_col*)malloc_array(ta_maxcol, sizeof(entry_col)))) {
1330	DEBUG(0, ("memory allocation failure\n"));	1330	DEBUG(0, ("memory allocation failure\n"));
1331	nis_freeresult(result);	1331	nis_freeresult(result);
1332	return False;	1332	return False;




    con->execs = NULL;
    con->numExecs = 0;
    con->finalArgvAlloced = argc * 2;
    con->finalArgv = calloc_array( con->finalArgvAlloced, sizeof(*con->finalArgv) );
    con->execAbsolute = 1;
    con->arg_strip = NULL;


       time 'round */
    if ((con->finalArgvCount + 1) >= (con->finalArgvAlloced)) {
	con->finalArgvAlloced += 10;
	con->finalArgv = realloc_array(con->finalArgv,
			sizeof(*con->finalArgv), con->finalArgvAlloced);
    }

    i = con->finalArgvCount++;

    int pos = 0;
    const char * script = con->doExec->script;

    argv = malloc_array(sizeof(*argv),
			(6 + con->numLeftovers + con->finalArgvCount));

    if (!con->execAbsolute && strchr(script, '/')) return;


    /* SunOS won't realloc(NULL, ...) */
    if (!con->aliases)
	con->aliases = malloc_array(sizeof(newAlias), con->numAliases);
    else
	con->aliases = realloc_array(con->aliases,
			       sizeof(newAlias), con->numAliases);
    alias = con->aliases + aliasNum;

    alias->longName = (newAlias.longName)

Lines 40-47 Link Here

(-)samba-2.2.8a.orig/source/popt/poptconfig.c (-2 / +2 lines)
40	alias.longName = longName, alias.shortName = shortName;	40	alias.longName = longName, alias.shortName = shortName;
41	poptAddAlias(con, alias, 0);	41	poptAddAlias(con, alias, 0);
42	} else if (!strcmp(entryType, "exec")) {	42	} else if (!strcmp(entryType, "exec")) {
43	con->execs = realloc(con->execs,	43	con->execs = realloc_array(con->execs,
44	sizeof(con->execs) (con->numExecs + 1));	44	sizeof(*con->execs), (con->numExecs + 1));
45	if (longName)	45	if (longName)
46	con->execs[con->numExecs].longName = xstrdup(longName);	46	con->execs[con->numExecs].longName = xstrdup(longName);
47	else	47	else

Lines 40-46 Link Here

(-)samba-2.2.8a.orig/source/popt/poptparse.c (-2 / +2 lines)
40	const char * src;	40	const char * src;
41	char quote = '\0';	41	char quote = '\0';
42	int argvAlloced = POPT_ARGV_ARRAY_GROW_DELTA;	42	int argvAlloced = POPT_ARGV_ARRAY_GROW_DELTA;
43	const char ** argv = malloc(sizeof(argv) argvAlloced);	43	const char ** argv = malloc_array(sizeof(*argv), argvAlloced);
44	int argc = 0;	44	int argc = 0;
45	int buflen = strlen(s) + 1;	45	int buflen = strlen(s) + 1;
46	char *buf0 = calloc(buflen, 1);	46	char *buf0 = calloc(buflen, 1);
Lines 67-73 Link Here
67	buf++, argc++;	67	buf++, argc++;
68	if (argc == argvAlloced) {	68	if (argc == argvAlloced) {
69	argvAlloced += POPT_ARGV_ARRAY_GROW_DELTA;	69	argvAlloced += POPT_ARGV_ARRAY_GROW_DELTA;
70	argv = realloc(argv, sizeof(argv) argvAlloced);	70	argv = realloc_array(argv, sizeof(*argv), argvAlloced);
71	}	71	}
72	argv[argc] = buf;	72	argv[argc] = buf;
73	}	73	}




		SAFE_FREE(dbuf.dptr);
		if (ret != dbuf.dsize) continue;

		tl = realloc_array(*list, sizeof(nt_forms_struct), (n+1));
		if (!tl) {
			DEBUG(0,("get_ntforms: Realloc fail.\n"));
			return 0;

	}

	if (update==False) {
		if((tl=realloc_array(*list, (n+1), sizeof(nt_forms_struct))) == NULL) {
			DEBUG(0,("add_a_form: failed to enlarge forms list!\n"));
			return False;
		}

	     newkey = tdb_nextkey(tdb_drivers, kbuf), safe_free(kbuf.dptr), kbuf=newkey) {
		if (strncmp(kbuf.dptr, key, strlen(key)) != 0) continue;
		
		if((fl = realloc_array(*list, sizeof(fstring), (total+1))) == NULL) {
			DEBUG(0,("get_ntdrivers: failed to enlarge list!\n"));
			return -1;
		}

	fstrcpy(info.configfile, "");
	fstrcpy(info.helpfile, "");

	if ((info.dependentfiles=(fstring *)malloc_array(2, sizeof(fstring))) == NULL)
		return WERR_NOMEM;

	memset(info.dependentfiles, '\0', 2*sizeof(fstring));

	while (len < dbuf.dsize) {
		fstring *tddfs;

		tddfs = (fstring *)realloc_array(driver.dependentfiles,
							 sizeof(fstring), (i+2));
		if (tddfs == NULL) {
			DEBUG(0,("get_a_printer_driver_3: failed to enlarge buffer!\n"));
			break;

	/* exited because it exist */
	*type=param->type;		
	StrnCpy(value, param->value, sizeof(fstring)-1);
	*data=(uint8 *)malloc_array(param->data_len, sizeof(uint8));
	if(*data == NULL)
		return False;
	ZERO_STRUCTP(*data);

		/* exited because it exist */
		*type=param->type;	
		
		*data=(uint8 *)malloc_array(param->data_len, sizeof(uint8));
		if(*data == NULL)
			return False;
		memcpy(*data, param->data, param->data_len);

Lines 920-926 Link Here

(-)samba-2.2.8a.orig/source/printing/print_cups.c (-1 / +1 lines)
920	{	920	{
921	qalloc += 16;	921	qalloc += 16;
922		922
923	temp = Realloc(queue, sizeof(print_queue_struct) * qalloc);	923	temp = realloc_array(queue, sizeof(print_queue_struct), qalloc);
924		924
925	if (temp == NULL)	925	if (temp == NULL)
926	{	926	{

Lines 218-224 Link Here

(-)samba-2.2.8a.orig/source/printing/print_generic.c (-1 / +1 lines)
218	qcount = 0;	218	qcount = 0;
219	ZERO_STRUCTP(status);	219	ZERO_STRUCTP(status);
220	if (numlines)	220	if (numlines)
221	queue = (print_queue_struct )malloc(sizeof(print_queue_struct)(numlines+1));	221	queue = (print_queue_struct *)malloc_array(sizeof(print_queue_struct), (numlines+1));
222		222
223	if (queue) {	223	if (queue) {
224	for (i=0; i<numlines; i++) {	224	for (i=0; i<numlines; i++) {

Lines 1314-1320 Link Here

(-)samba-2.2.8a.orig/source/printing/printing.c (-1 / +1 lines)
1314		1314
1315	/* Allocate the queue size. */	1315	/* Allocate the queue size. */
1316	if ((tstruct.queue = (print_queue_struct *)	1316	if ((tstruct.queue = (print_queue_struct *)
1317	malloc(sizeof(print_queue_struct)*tsc.count)) == NULL)	1317	malloc_array(sizeof(print_queue_struct), tsc.count)) == NULL)
1318	return 0;	1318	return 0;
1319		1319
1320	/*	1320	/*

Lines 142-148 Link Here

(-)samba-2.2.8a.orig/source/rpcclient/cmd_lsarpc.c (-1 / +1 lines)
142		142
143	/* Convert arguments to sids */	143	/* Convert arguments to sids */
144		144
145	sids = (DOM_SID )talloc(mem_ctx, sizeof(DOM_SID) (argc - 1));	145	sids = (DOM_SID *)talloc_array(mem_ctx, sizeof(DOM_SID), (argc - 1));
146		146
147	if (!sids) {	147	if (!sids) {
148	printf("could not allocate memory for %d sids\n", argc - 1);	148	printf("could not allocate memory for %d sids\n", argc - 1);

Lines 1045-1051 Link Here

(-)samba-2.2.8a.orig/source/rpcclient/cmd_samr.c (-2 / +2 lines)
1045	/* Look up names */	1045	/* Look up names */
1046		1046
1047	num_names = argc - 2;	1047	num_names = argc - 2;
1048	names = (const char *)talloc(mem_ctx, sizeof(char ) * num_names);	1048	names = (const char *)talloc_array(mem_ctx, sizeof(char ), num_names);
1049		1049
1050	for (i = 0; i < argc - 2; i++)	1050	for (i = 0; i < argc - 2; i++)
1051	names[i] = argv[i + 2];	1051	names[i] = argv[i + 2];
Lines 1106-1112 Link Here
1106	/* Look up rids */	1106	/* Look up rids */
1107		1107
1108	num_rids = argc - 1;	1108	num_rids = argc - 1;
1109	rids = (uint32 )talloc(mem_ctx, sizeof(uint32) num_rids);	1109	rids = (uint32 *)talloc_array(mem_ctx, sizeof(uint32), num_rids);
1110		1110
1111	for (i = 0; i < argc - 1; i++)	1111	for (i = 0; i < argc - 1; i++)
1112	sscanf(argv[i + 1], "%i", &rids[i]);	1112	sscanf(argv[i + 1], "%i", &rids[i]);

Lines 1031-1037 Link Here

(-)samba-2.2.8a.orig/source/rpcclient/cmd_spoolss.c (-1 / +1 lines)
1031	/* allocate the space; add one extra slot for a terminating NULL.	1031	/* allocate the space; add one extra slot for a terminating NULL.
1032	Each filename is NULL terminated and the end contains a double	1032	Each filename is NULL terminated and the end contains a double
1033	NULL */	1033	NULL */
1034	if ((info->dependentfiles=(uint16)talloc(mem_ctx, (len+1)sizeof(uint16))) == NULL)	1034	if ((info->dependentfiles=(uint16*)talloc_array(mem_ctx, (len+1), sizeof(uint16))) == NULL)
1035	{	1035	{
1036	DEBUG(0,("init_drv_info_3_members: Unable to malloc memory for dependenfiles\n"));	1036	DEBUG(0,("init_drv_info_3_members: Unable to malloc memory for dependenfiles\n"));
1037	return False;	1037	return False;

Lines 54-60 Link Here

(-)samba-2.2.8a.orig/source/rpcclient/rpcclient.c (-2 / +2 lines)
54	if (!commands)	54	if (!commands)
55	return NULL;	55	return NULL;
56		56
57	matches = (char *)malloc(sizeof(matches[0])MAX_COMPLETIONS);	57	matches = (char **)malloc_array(sizeof(matches[0]), MAX_COMPLETIONS);
58	if (!matches) return NULL;	58	if (!matches) return NULL;
59		59
60	matches[count++] = strdup(text);	60	matches[count++] = strdup(text);
Lines 463-469 Link Here
463		463
464	/* Create argument list */	464	/* Create argument list */
465		465
466	argv = (char *)malloc(sizeof(char ) * argc);	466	argv = (char *)malloc_array(sizeof(char ), argc);
467	memset(argv, 0, sizeof(char ) argc);	467	memset(argv, 0, sizeof(char ) argc);
468		468
469	if (!argv) {	469	if (!argv) {

Lines 328-334 Link Here

(-)samba-2.2.8a.orig/source/rpc_client/cli_spoolss_notify.c (-1 / +1 lines)
328	{	328	{
329	DEBUG(10,("build_notify_data: %s set on [%s][%d]\n", msg_table[i].name,	329	DEBUG(10,("build_notify_data: %s set on [%s][%d]\n", msg_table[i].name,
330	printer->info_2->printername, idx));	330	printer->info_2->printername, idx));
331	if ((data=Realloc(notify_data, (idx+1)sizeof(SPOOL_NOTIFY_INFO_DATA))) == NULL) {	331	if ((data=realloc_array(*notify_data, (idx+1), sizeof(SPOOL_NOTIFY_INFO_DATA))) == NULL) {
332	DEBUG(0,("build_notify_data: Realloc() failed with size [%d]!\n",	332	DEBUG(0,("build_notify_data: Realloc() failed with size [%d]!\n",
333	(idx+1)*sizeof(SPOOL_NOTIFY_INFO_DATA)));	333	(idx+1)*sizeof(SPOOL_NOTIFY_INFO_DATA)));
334	return -1;	334	return -1;

Lines 686-692 Link Here

(-)samba-2.2.8a.orig/source/rpc_parse/parse_lsa.c (-1 / +1 lines)
686	return False;	686	return False;
687		687
688	if (UNMARSHALLING(ps)) {	688	if (UNMARSHALLING(ps)) {
689	d_q->auditsettings = (uint32 )talloc_zero(ps->mem_ctx, d_q->count2 sizeof(uint32));	689	d_q->auditsettings = (uint32 *)talloc_zero_array(ps->mem_ctx, d_q->count2, sizeof(uint32));
690	}	690	}
691		691
692	if (d_q->auditsettings == NULL) {	692	if (d_q->auditsettings == NULL) {

Lines 950-956 Link Here

(-)samba-2.2.8a.orig/source/rpc_parse/parse_misc.c (-1 / +1 lines)
950	to->uni_str_len = i;	950	to->uni_str_len = i;
951		951
952	/* allocate the space and copy the string buffer */	952	/* allocate the space and copy the string buffer */
953	to->buffer = (uint16 )talloc_zero(get_talloc_ctx(), sizeof(uint16)(to->uni_str_len));	953	to->buffer = (uint16 *)talloc_zero_array(get_talloc_ctx(), sizeof(uint16), (to->uni_str_len));
954	if (to->buffer == NULL)	954	if (to->buffer == NULL)
955	smb_panic("init_unistr2_from_unistr: malloc fail\n");	955	smb_panic("init_unistr2_from_unistr: malloc fail\n");
956	memcpy(to->buffer, from->buffer, to->uni_max_len*sizeof(uint16));	956	memcpy(to->buffer, from->buffer, to->uni_max_len*sizeof(uint16));




			;

		/* Now allocate space for them. */
		*ppsids = (DOM_SID2 *)talloc_zero_array(ctx, count, sizeof(DOM_SID2));
		if (*ppsids == NULL)
			return 0;


	/* always have at least one group == the user's primary group */
	usr->num_groups2 = num_groups+1;

	usr->gids = (DOM_GID *)talloc_zero_array(ctx,sizeof(DOM_GID), (num_groups+1));
	if (usr->gids == NULL)
		return;


			return False;
		}

                info->rids = talloc_array(ps->mem_ctx, sizeof(uint32),
                                    info->num_members2);

                if (info->rids == NULL) {

			return False;
		}

                info->ptr_sids = talloc_array(ps->mem_ctx, sizeof(uint32),
                                        info->num_sids);
                
                if (info->ptr_sids == NULL) {

                                return False;
		}

                info->sids = talloc_array(ps->mem_ctx, sizeof(DOM_SID2),
                                    info->num_sids);

                if (info->sids == NULL) {


                        if (r_s->num_deltas2 > 0) {
                                r_s->hdr_deltas = (SAM_DELTA_HDR *)
                                        talloc_array(ps->mem_ctx, r_s->num_deltas2,
                                               sizeof(SAM_DELTA_HDR));
                          
                                if (r_s->hdr_deltas == NULL) {


                        if (r_s->num_deltas2 > 0) {
                                r_s->deltas = (SAM_DELTA_CTR *)
                                        talloc_array(ps->mem_ctx, r_s->num_deltas2,
                                               sizeof(SAM_DELTA_CTR));

                                if (r_s->deltas == NULL) {

		{
                        if (r_s->num_deltas > 0) {
                                r_s->hdr_deltas = (SAM_DELTA_HDR *)
                                        talloc_array(ps->mem_ctx, r_s->num_deltas,
                                               sizeof(SAM_DELTA_HDR));
                                if (r_s->hdr_deltas == NULL) {
                                        DEBUG(0, ("error tallocating memory "

                        
                        if (r_s->num_deltas > 0) {
                                r_s->deltas = (SAM_DELTA_CTR *)
                                        talloc_array(ps->mem_ctx, r_s->num_deltas,
                                               sizeof(SAM_DELTA_CTR));

                                if (r_s->deltas == NULL) {




	if (num_entries==0)
		return NT_STATUS_OK;

	sam->sam=(SAM_ENTRY1 *)talloc_array(ctx, num_entries, sizeof(SAM_ENTRY1));
	if (!sam->sam)
		return NT_STATUS_NO_MEMORY;

	sam->str=(SAM_STR1 *)talloc_array(ctx, num_entries, sizeof(SAM_STR1));
	if (!sam->str)
		return NT_STATUS_NO_MEMORY;


	if (num_entries==0)
		return NT_STATUS_OK;

	if (!(sam->sam=(SAM_ENTRY2 *)talloc_array(ctx, num_entries, sizeof(SAM_ENTRY2))))
		return NT_STATUS_NO_MEMORY;

	if (!(sam->str=(SAM_STR2 *)talloc_array(ctx, num_entries, sizeof(SAM_STR2))))
		return NT_STATUS_NO_MEMORY;

	ZERO_STRUCTP(sam->sam);

	if (num_entries==0)
		return NT_STATUS_OK;

	if (!(sam->sam=(SAM_ENTRY3 *)talloc_array(ctx, num_entries, sizeof(SAM_ENTRY3))))
		return NT_STATUS_NO_MEMORY;

	if (!(sam->str=(SAM_STR3 *)talloc_array(ctx, num_entries, sizeof(SAM_STR3))))
		return NT_STATUS_NO_MEMORY;

	ZERO_STRUCTP(sam->sam);

	if (num_entries==0)
		return NT_STATUS_OK;

	if (!(sam->sam=(SAM_ENTRY4 *)talloc_array(ctx, num_entries, sizeof(SAM_ENTRY4))))
		return NT_STATUS_NO_MEMORY;

	if (!(sam->str=(SAM_STR4 *)talloc_array(ctx, num_entries, sizeof(SAM_STR4))))
		return NT_STATUS_NO_MEMORY;

	ZERO_STRUCTP(sam->sam);

	if (num_entries==0)
		return NT_STATUS_OK;

	if (!(sam->sam=(SAM_ENTRY5 *)talloc_array(ctx, num_entries, sizeof(SAM_ENTRY5))))
		return NT_STATUS_NO_MEMORY;

	if (!(sam->str=(SAM_STR5 *)talloc_array(ctx, num_entries, sizeof(SAM_STR5))))
		return NT_STATUS_NO_MEMORY;

	ZERO_STRUCTP(sam->sam);

	q_u->flags = flags;
	q_u->ptr = 0;
	q_u->num_rids2 = num_rids;
	q_u->rid = (uint32 *)talloc_zero_array(ctx, num_rids, sizeof(q_u->rid[0]));
	if (q_u->rid == NULL) {
		q_u->num_rids1 = 0;
		q_u->num_rids2 = 0;

	q_u->ptr = 0;
	q_u->num_names2 = num_names;

	if (!(q_u->hdr_name = (UNIHDR *)talloc_zero_array(ctx, num_names, sizeof(UNIHDR))))
		return NT_STATUS_NO_MEMORY;

	if (!(q_u->uni_name = (UNISTR2 *)talloc_zero_array(ctx, num_names, sizeof(UNISTR2))))
		return NT_STATUS_NO_MEMORY;

	for (i = 0; i < num_names; i++) {

		r_u->ptr_rids = 1;
		r_u->num_rids2 = num_rids;

		if (!(r_u->rids = (uint32 *)talloc_zero_array(ctx, sizeof(uint32), num_rids)))
			return NT_STATUS_NO_MEMORY;
		if (!(r_u->types = (uint32 *)talloc_zero_array(ctx, sizeof(uint32), num_rids)))
			return NT_STATUS_NO_MEMORY;

		if (!r_u->rids || !r_u->types)

Lines 130-136 Link Here

(-)samba-2.2.8a.orig/source/rpc_parse/parse_sec.c (-1 / +1 lines)
130	positive number. */	130	positive number. */
131		131
132	if ((num_aces) &&	132	if ((num_aces) &&
133	((dst->ace = (SEC_ACE )talloc(ctx, sizeof(SEC_ACE) num_aces))	133	((dst->ace = (SEC_ACE *)talloc_array(ctx, sizeof(SEC_ACE), num_aces))
134	== NULL)) {	134	== NULL)) {
135	return NULL;	135	return NULL;
136	}	136	}





			/* Yes this should be malloc not talloc. Don't change. */

			chaine.buffer = malloc_array((q-p+1), sizeof(uint16));
			if (chaine.buffer == NULL)
				return False;


	while (src < ((char *)buf5->buffer) + buf5->buf_len*2) {
		unistr_to_dos(f, src, sizeof(f)-1);
		src = skip_unibuf(src, 2*buf5->buf_len - PTR_DIFF(src,buf5->buffer));
		tar = (fstring *)realloc_array(*ar, sizeof(fstring), (n+2));
		if (!tar)
			return False;
		else

	(*param)->data_len=len;
	
	if (len) {
		(*param)->data=(uint8 *)malloc_array(len, sizeof(uint8));
		if((*param)->data == NULL)
			return False;
		memcpy((*param)->data, data, len);




  else
    jn.referral_count = 1;

  jn.referral_list = (struct referral*) talloc_array(p->mem_ctx, jn.referral_count, 
					       sizeof(struct referral));

  if(jn.referral_list == NULL)
    {

      dfs3[i].ptr_storages = 1;
     
      /* also enumerate the storages */
      dfs3[i].storages = (DFS_STORAGE_INFO*) talloc_array(ctx, j[i].referral_count, 
						    sizeof(DFS_STORAGE_INFO));
      if (!dfs3[i].storages)
        return False;

    case 1:
      {
	DFS_INFO_1* dfs1;
	dfs1 = (DFS_INFO_1*) talloc_array(ctx, num_jn, sizeof(DFS_INFO_1));
	if (!dfs1)
		return WERR_NOMEM;
	init_reply_dfs_info_1(jn, dfs1, num_jn);

    case 2:
      {
	DFS_INFO_2* dfs2;
	dfs2 = (DFS_INFO_2*) talloc_array(ctx, num_jn, sizeof(DFS_INFO_2));
	if (!dfs2)
		return WERR_NOMEM;
	init_reply_dfs_info_2(jn, dfs2, num_jn);

    case 3:
      {
	DFS_INFO_3* dfs3;
	dfs3 = (DFS_INFO_3*) talloc_array(ctx, num_jn, sizeof(DFS_INFO_3));
	if (!dfs3)
		return WERR_NOMEM;
	init_reply_dfs_info_3(ctx, jn, dfs3, num_jn);




	/* Allocate memory for list of names */

	if (num_entries > 0) {
		if (!(trn->name = (LSA_TRANS_NAME *)talloc_array(ctx, sizeof(LSA_TRANS_NAME),
							  num_entries))) {
			DEBUG(0, ("init_lsa_trans_names(): out of memory\n"));
			return;
		}

		if (!(trn->uni_name = (UNISTR2 *)talloc_array(ctx, sizeof(UNISTR2),
							num_entries))) {
			DEBUG(0, ("init_lsa_trans_names(): out of memory\n"));
			return;

			info->id2.auditing_enabled = 1;
			info->id2.count1 = 7;
			info->id2.count2 = 7;
			if ((info->id2.auditsettings = (uint32 *)talloc_array(p->mem_ctx, 7, sizeof(uint32))) == NULL)
				return NT_STATUS_NO_MEMORY;
			for (i = 0; i < 7; i++)
				info->id2.auditsettings[i] = 3;

	if (enum_context >= PRIV_ALL_INDEX)
		return NT_STATUS_UNABLE_TO_FREE_VM;

	entries = (LSA_PRIV_ENTRY *)talloc_zero_array(p->mem_ctx, sizeof(LSA_PRIV_ENTRY), (PRIV_ALL_INDEX-enum_context));
	if (entries==NULL)
		return NT_STATUS_NO_MEMORY;





		if (info->disp_info.num_user_account % MAX_SAM_ENTRIES == 0) {
		
			DEBUG(10,("load_sampwd_entries: allocating more memory\n"));
			pwd_array=(DISP_USER_INFO *)realloc_array(info->disp_info.disp_user_info, 
			                  (info->disp_info.num_user_account+MAX_SAM_ENTRIES), sizeof(DISP_USER_INFO));

			if (pwd_array==NULL)
				return NT_STATUS_NO_MEMORY;

	static BOOL group_map_init;
	extern DOM_SID global_sam_sid;

	*ret_map = (GROUP_MAP *)malloc_array(sizeof(GROUP_MAP), 2);
	if (!ret_map)
		return 2;
	


	info->disp_info.num_group_account=group_entries;

	grp_array=(DISP_GROUP_INFO *)malloc_array(info->disp_info.num_group_account, sizeof(DISP_GROUP_INFO));

	if (group_entries!=0 && grp_array==NULL) {
		return NT_STATUS_NO_MEMORY;

	if (num_sam_entries == 0)
		return;

	sam = (SAM_ENTRY *)talloc_zero_array(ctx, sizeof(SAM_ENTRY), num_sam_entries);

	uni_name = (UNISTR2 *)talloc_zero_array(ctx, sizeof(UNISTR2), num_sam_entries);

	if (sam == NULL || uni_name == NULL) {
		DEBUG(0, ("NULL pointers in SAMR_R_QUERY_DISPINFO\n"));

	if (num_sam_entries == 0)
		return;

	sam = (SAM_ENTRY *)talloc_zero_array(ctx, sizeof(SAM_ENTRY), num_sam_entries);

	uni_name = (UNISTR2 *)talloc_zero_array(ctx, sizeof(UNISTR2), num_sam_entries);

	if (sam == NULL || uni_name == NULL) {
		DEBUG(0, ("NULL pointers in SAMR_R_QUERY_DISPINFO\n"));

	switch (q_u->switch_level) {
	case 0x1:
		if (max_entries) {
			if (!(ctr->sam.info1 = (SAM_DISPINFO_1 *)talloc_zero_array(p->mem_ctx,max_entries, sizeof(SAM_DISPINFO_1))))
				return NT_STATUS_NO_MEMORY;
		}
		disp_ret = init_sam_dispinfo_1(p->mem_ctx, ctr->sam.info1, max_entries, enum_context, info->disp_info.disp_user_info);

		break;
	case 0x2:
		if (max_entries) {
			if (!(ctr->sam.info2 = (SAM_DISPINFO_2 *)talloc_zero_array(p->mem_ctx,max_entries, sizeof(SAM_DISPINFO_2))))
				return NT_STATUS_NO_MEMORY;
		}
		disp_ret = init_sam_dispinfo_2(p->mem_ctx, ctr->sam.info2, max_entries, enum_context, info->disp_info.disp_user_info);

		break;
	case 0x3:
		if (max_entries) {
			if (!(ctr->sam.info3 = (SAM_DISPINFO_3 *)talloc_zero_array(p->mem_ctx,max_entries, sizeof(SAM_DISPINFO_3))))
				return NT_STATUS_NO_MEMORY;
		}
		disp_ret = init_sam_dispinfo_3(p->mem_ctx, ctr->sam.info3, max_entries, enum_context, info->disp_info.disp_group_info);

		break;
	case 0x4:
		if (max_entries) {
			if (!(ctr->sam.info4 = (SAM_DISPINFO_4 *)talloc_zero_array(p->mem_ctx,max_entries, sizeof(SAM_DISPINFO_4))))
				return NT_STATUS_NO_MEMORY;
		}
		disp_ret = init_sam_dispinfo_4(p->mem_ctx, ctr->sam.info4, max_entries, enum_context, info->disp_info.disp_user_info);

		break;
	case 0x5:
		if (max_entries) {
			if (!(ctr->sam.info5 = (SAM_DISPINFO_5 *)talloc_zero_array(p->mem_ctx,max_entries, sizeof(SAM_DISPINFO_5))))
				return NT_STATUS_NO_MEMORY;
		}
		disp_ret = init_sam_dispinfo_5(p->mem_ctx, ctr->sam.info5, max_entries, enum_context, info->disp_info.disp_group_info);

	*pp_hdr_name = NULL;

	if (num_names != 0) {
		hdr_name = (UNIHDR *)talloc_zero_array(ctx, sizeof(UNIHDR), num_names);
		if (hdr_name == NULL)
			return False;

		uni_name = (UNISTR2 *)talloc_zero_array(ctx,sizeof(UNISTR2), num_names);
		if (uni_name == NULL)
			return False;
	}

	}

	if (num_rids) {
		if ((group_attrs = (uint32 *)talloc_zero_array(p->mem_ctx, num_rids, sizeof(uint32))) == NULL)
			return NT_STATUS_NO_MEMORY;
	}


	if (num_sam_entries == 0)
		return True;

	sam = (SAM_ENTRY *)talloc_zero_array(ctx, sizeof(SAM_ENTRY), num_sam_entries);
	uni_name = (UNISTR2 *)talloc_zero_array(ctx, sizeof(UNISTR2), num_sam_entries);

	if (sam == NULL || uni_name == NULL)
		return False;

	int num_rids;

	num_rids = 1;
	rid=(uint32 *)talloc_zero_array(p->mem_ctx, num_rids, sizeof(uint32));
	if (rid == NULL)
		return NT_STATUS_NO_MEMORY;





	
	len = unistrlen(devmode->devicename.buffer);
	if (len != -1) {
		d->devicename.buffer = talloc_array(ctx, len, 2);
		if (unistrcpy(d->devicename.buffer, devmode->devicename.buffer) != len)
			return NULL;
	}


	len = unistrlen(devmode->formname.buffer);
	if (len != -1) {
		d->devicename.buffer = talloc_array(ctx, len, 2);
		if (unistrcpy(d->formname.buffer, devmode->formname.buffer) != len)
			return NULL;
	}

	if ((devmode->driverextra != 0) && (devmode->private != NULL)) {
		SAFE_FREE(nt_devmode->private);
		nt_devmode->driverextra=devmode->driverextra;
		if((nt_devmode->private=(uint8 *)malloc_array(nt_devmode->driverextra, sizeof(uint8))) == NULL)
			return False;
		memcpy(nt_devmode->private, devmode->private, nt_devmode->driverextra);
	}

		
	if (!strcmp(value, "W3SvcInstalled")) {
		*type = 0x4;
		if((*data = (uint8 *)talloc_zero_array(ctx, 4, sizeof(uint8) )) == NULL)
			return False;
		*needed = 0x4;			
		return True;

		fstrcpy(string, string_truncate(lp_serverstring(), MAX_SERVER_STRING_LENGTH));
		*type = 0x1;			
		*needed = 2*(strlen(string)+1);		
		if((*data  = (uint8 *)talloc_array(ctx, ((*needed > in_size) ? *needed:in_size), sizeof(uint8))) == NULL)
			return False;
		memset(*data, 0, (*needed > in_size) ? *needed:in_size);
		

		pstring string="Windows NT x86";
		*type = 0x1;			
		*needed = 2*(strlen(string)+1);	
		if((*data  = (uint8 *)talloc_array(ctx, ((*needed > in_size) ? *needed:in_size), sizeof(uint8))) == NULL)
			return False;
		memset(*data, 0, (*needed > in_size) ? *needed:in_size);
		for (i=0; i<strlen(string); i++) {

	DEBUG(5,("getprinterdata_printer:allocating %d\n", in_size));

	if (in_size) {
		if((*data  = (uint8 *)talloc_array(ctx, in_size, sizeof(uint8) )) == NULL) {
			return False;
		}


		DEBUG(5, ("value not found, allocating %d\n", *out_size));
		/* reply this param doesn't exist */
		if (*out_size) {
			if((*data=(uint8 *)talloc_zero_array(p->mem_ctx, *out_size, sizeof(uint8))) == NULL)
				return WERR_NOMEM;
		} else {
			*data = NULL;

		if (!search_notify(type, field, &j) )
			continue;

		if((tid=(SPOOL_NOTIFY_INFO_DATA *)realloc_array(info->data, (info->count+1), sizeof(SPOOL_NOTIFY_INFO_DATA))) == NULL) {
			DEBUG(2,("construct_notify_printer_info: failed to enlarge buffer info->data!\n"));
			return False;
		}

		if (!search_notify(type, field, &j) )
			continue;

		if((tid=realloc_array(info->data, (info->count+1), sizeof(SPOOL_NOTIFY_INFO_DATA))) == NULL) {
			DEBUG(2,("construct_notify_jobs_info: failed to enlarg buffer info->data!\n"));
			return False;
		}

			DEBUG(4,("Found a printer in smb.conf: %s[%x]\n", lp_servicename(snum), snum));

			if (construct_printer_info_1(flags, &current_prt, snum)) {
				if((tp=realloc_array(printers, (*returned +1), sizeof(PRINTER_INFO_1))) == NULL) {
					DEBUG(2,("enum_all_printers_info_1: failed to enlarge printers buffer!\n"));
					SAFE_FREE(printers);
					*returned=0;

			DEBUG(4,("Found a printer in smb.conf: %s[%x]\n", lp_servicename(snum), snum));
				
			if (construct_printer_info_2(&current_prt, snum)) {
				if((tp=realloc_array(printers, (*returned +1), sizeof(PRINTER_INFO_2))) == NULL) {
					DEBUG(2,("enum_all_printers_info_2: failed to enlarge printers buffer!\n"));
					SAFE_FREE(printers);
					*returned = 0;

		if (strlen(v) == 0) break;
		slprintf(line, sizeof(line)-1, "\\\\%s%s", servername, v);
		DEBUGADD(6,("%d:%s:%d\n", i, line, strlen(line)));
		if((tuary=realloc_array(*uni_array, (j+strlen(line)+2), sizeof(uint16))) == NULL) {
			DEBUG(2,("init_unistr_array: Realloc error\n" ));
			return;
		} else

	JOB_INFO_1 *info;
	int i;
	
	info=(JOB_INFO_1 *)malloc_array(*returned, sizeof(JOB_INFO_1));
	if (info==NULL) {
		SAFE_FREE(queue);
		*returned=0;

	WERROR result;
	DEVICEMODE *devmode = NULL;
	
	info=(JOB_INFO_2 *)malloc_array(*returned, sizeof(JOB_INFO_2));
	if (info==NULL) {
		*returned=0;
		result = WERR_NOMEM;

			return WERR_NOMEM;

		if(ndrivers != 0) {
			if((tdi1=(DRIVER_INFO_1 *)realloc_array(driver_info_1, (*returned+ndrivers), sizeof(DRIVER_INFO_1))) == NULL) {
				DEBUG(0,("enumprinterdrivers_level1: failed to enlarge driver info buffer!\n"));
				SAFE_FREE(driver_info_1);
				SAFE_FREE(list);

			return WERR_NOMEM;

		if(ndrivers != 0) {
			if((tdi2=(DRIVER_INFO_2 *)realloc_array(driver_info_2, (*returned+ndrivers), sizeof(DRIVER_INFO_2))) == NULL) {
				DEBUG(0,("enumprinterdrivers_level2: failed to enlarge driver info buffer!\n"));
				SAFE_FREE(driver_info_2);
				SAFE_FREE(list);

			return WERR_NOMEM;

		if(ndrivers != 0) {
			if((tdi3=(DRIVER_INFO_3 *)realloc_array(driver_info_3, (*returned+ndrivers), sizeof(DRIVER_INFO_3))) == NULL) {
				DEBUG(0,("enumprinterdrivers_level3: failed to enlarge driver info buffer!\n"));
				SAFE_FREE(driver_info_3);
				SAFE_FREE(list);


	switch (level) {
	case 1:
		if ((forms_1=(FORM_1 *)malloc_array(*numofforms, sizeof(FORM_1))) == NULL) {
			*numofforms=0;
			return WERR_NOMEM;
		}

		close(fd);

		if(numlines) {
			if((ports=(PORT_INFO_1 *)malloc_array( numlines, sizeof(PORT_INFO_1) )) == NULL) {
				DEBUG(10,("Returning WERR_NOMEM [%s]\n", 
					  dos_errstr(WERR_NOMEM)));
				file_lines_free(qlines);

		close(fd);

		if(numlines) {
			if((ports=(PORT_INFO_2 *)malloc_array( numlines, sizeof(PORT_INFO_2) )) == NULL) {
				file_lines_free(qlines);
				return WERR_NOMEM;
			}

		   problems unmarshalling the response */

		*out_max_value_len=(in_value_len/sizeof(uint16));
		if((*out_value=(uint16 *)talloc_zero_array(p->mem_ctx, in_value_len, sizeof(uint8))) == NULL)
			return WERR_NOMEM;

		*out_value_len = (uint32)dos_PutUniCode((char *)*out_value, "", in_value_len, True);

		/* the data is counted in bytes */
		*out_max_data_len = in_data_len;
		*out_data_len = in_data_len;
		if((*data_out=(uint8 *)talloc_zero_array(p->mem_ctx, in_data_len, sizeof(uint8))) == NULL)
			return WERR_NOMEM;

		return WERR_NO_MORE_ITEMS;

	 */
	
	*out_max_value_len=(in_value_len/sizeof(uint16));
	if((*out_value=(uint16 *)talloc_zero_array(p->mem_ctx,in_value_len, sizeof(uint8))) == NULL) {
		SAFE_FREE(data);
		return WERR_NOMEM;
	}


	/* the data is counted in bytes */
	*out_max_data_len=in_data_len;
	if((*data_out=(uint8 *)talloc_zero_array(p->mem_ctx, in_data_len, sizeof(uint8))) == NULL) {
		SAFE_FREE(data);
		return WERR_NOMEM;
	}

		
		/* reply this param doesn't exist */
		if (*out_size) {
			if((*data=(uint8 *)talloc_zero_array(p->mem_ctx, *out_size, sizeof(uint8))) == NULL)
				return WERR_NOMEM;
		} else {
			*data = NULL;

		PRINTER_ENUM_VALUES	*ptr;

		DEBUG(10,("retrieved value number [%d] [%s]\n", num_entries, value));
		if((num_entries+1) >= UINT_MAX/sizeof(PRINTER_ENUM_VALUES))
		{
			DEBUG(0,("_spoolss_enumprinterdataex: integer overflow detected.\n"));
			goto done;
		}
		if ((ptr=talloc_realloc(p->mem_ctx, enum_values, (num_entries+1) * sizeof(PRINTER_ENUM_VALUES))) == NULL)
		{
			DEBUG(0,("talloc_realloc failed to allocate more memory!\n"));




		SRV_SHARE_INFO_1 *info1;
		int i = 0;

		info1 = talloc_array(ctx, num_entries, sizeof(SRV_SHARE_INFO_1));

		for (snum = *resume_hnd; snum < num_services; snum++) {
			if (lp_browseable(snum) && lp_snum_ok(snum) && (all_shares || !is_admin_share(snum)) ) {

		SRV_SHARE_INFO_2 *info2;
		int i = 0;

		info2 = talloc_array(ctx, num_entries, sizeof(SRV_SHARE_INFO_2));

		for (snum = *resume_hnd; snum < num_services; snum++) {
			if (lp_browseable(snum) && lp_snum_ok(snum) && (all_shares || !is_admin_share(snum)) ) {

		SRV_SHARE_INFO_501 *info501;
		int i = 0;
	
		info501 = talloc_array(ctx, num_entries, sizeof(SRV_SHARE_INFO_501));

		for (snum = *resume_hnd; snum < num_services; snum++) {
			if (lp_browseable(snum) && lp_snum_ok(snum) && (all_shares || !is_admin_share(snum)) ) {

		SRV_SHARE_INFO_502 *info502;
		int i = 0;

		info502 = talloc_array(ctx, num_entries, sizeof(SRV_SHARE_INFO_502));

		for (snum = *resume_hnd; snum < num_services; snum++) {
			if (lp_browseable(snum) && lp_snum_ok(snum) && (all_shares || !is_admin_share(snum)) ) {

Lines 97-103 Link Here

(-)samba-2.2.8a.orig/source/rpc_server/srv_util.c (-1 / +1 lines)
97	count++)	97	count++)
98	;	98	;
99		99
100	gids = (DOM_GID )talloc(ctx, sizeof(DOM_GID) count );	100	gids = (DOM_GID *)talloc_array(ctx, sizeof(DOM_GID), count );
101	if(!gids)	101	if(!gids)
102	{	102	{
103	DEBUG(0,("make_dom_gids: talloc fail !\n"));	103	DEBUG(0,("make_dom_gids: talloc fail !\n"));

Lines 419-425 Link Here

(-)samba-2.2.8a.orig/source/smbd/ipc.c (-1 / +1 lines)
419		419
420	if (suwcnt) {	420	if (suwcnt) {
421	int i;	421	int i;
422	if((setup = (uint16 )malloc(suwcntsizeof(uint16))) == NULL) {	422	if((setup = (uint16 *)malloc_array(suwcnt, sizeof(uint16))) == NULL) {
423	DEBUG(0,("reply_trans: setup malloc fail for %u bytes !\n", (unsigned int)(suwcnt * sizeof(uint16))));	423	DEBUG(0,("reply_trans: setup malloc fail for %u bytes !\n", (unsigned int)(suwcnt * sizeof(uint16))));
424	SAFE_FREE(data);	424	SAFE_FREE(data);
425	SAFE_FREE(params);	425	SAFE_FREE(params);




    if (lp_snum_ok(i) && lp_print_ok(i) && lp_browseable(i))
      queuecnt++;
  if (uLevel > 0) {
    if((queue = (print_queue_struct**)malloc_array(queuecnt, sizeof(print_queue_struct*))) == NULL) {
      DEBUG(0,("api_DosPrintQEnum: malloc fail !\n"));
      return False;
    }
    memset(queue,0,queuecnt*sizeof(print_queue_struct*));
    if((status = (print_status_struct*)malloc_array(queuecnt, sizeof(print_status_struct))) == NULL) {
      DEBUG(0,("api_DosPrintQEnum: malloc fail !\n"));
      return False;
    }
    memset(status,0,queuecnt*sizeof(print_status_struct));
    if((subcntarr = (int*)malloc_array(queuecnt, sizeof(int))) == NULL) {
      DEBUG(0,("api_DosPrintQEnum: malloc fail !\n"));
      return False;
    }


      alloced += 10;
      ts = (struct srv_info_struct *)
	realloc_array(*servers, sizeof(**servers), alloced);
      if (!ts) {
        DEBUG(0,("get_server_info: failed to enlarge servers info struct!\n"));
        return(0);

Lines 141-150 Link Here

(-)samba-2.2.8a.orig/source/smbd/mangle_hash2.c (-2 / +2 lines)
141	{	141	{
142	if (prefix_cache) return True;	142	if (prefix_cache) return True;
143		143
144	prefix_cache = calloc(MANGLE_CACHE_SIZE, sizeof(char *));	144	prefix_cache = calloc_array(MANGLE_CACHE_SIZE, sizeof(char *));
145	if (!prefix_cache) return False;	145	if (!prefix_cache) return False;
146		146
147	prefix_cache_hashes = calloc(MANGLE_CACHE_SIZE, sizeof(u32));	147	prefix_cache_hashes = calloc_array(MANGLE_CACHE_SIZE, sizeof(u32));
148	if (!prefix_cache_hashes) return False;	148	if (!prefix_cache_hashes) return False;
149		149
150	return True;	150	return True;

Lines 195-201 Link Here

(-)samba-2.2.8a.orig/source/smbd/password.c (-2 / +2 lines)
195	if (sup_tok && sup_tok->num_sids)	195	if (sup_tok && sup_tok->num_sids)
196	num_sids += sup_tok->num_sids;	196	num_sids += sup_tok->num_sids;
197		197
198	if ((token->user_sids = (DOM_SID )malloc( num_sidssizeof(DOM_SID))) == NULL) {	198	if ((token->user_sids = (DOM_SID *)malloc_array( num_sids, sizeof(DOM_SID))) == NULL) {
199	SAFE_FREE(token);	199	SAFE_FREE(token);
200	return NULL;	200	return NULL;
201	}	201	}
Lines 1652-1658 Link Here
1652	}	1652	}
1653		1653
1654	ptok->num_sids = (size_t)info3.num_groups2 + info3.num_other_sids;	1654	ptok->num_sids = (size_t)info3.num_groups2 + info3.num_other_sids;
1655	if ((ptok->user_sids = (DOM_SID )malloc( sizeof(DOM_SID) ptok->num_sids )) == NULL) {	1655	if ((ptok->user_sids = (DOM_SID *)malloc_array( sizeof(DOM_SID), ptok->num_sids )) == NULL) {
1656	DEBUG(0, ("domain_client_validate: Out of memory allocating group SIDS\n"));	1656	DEBUG(0, ("domain_client_validate: Out of memory allocating group SIDS\n"));
1657	SAFE_FREE(ptok);	1657	SAFE_FREE(ptok);
1658	release_server_mutex();	1658	release_server_mutex();

Lines 2387-2393 Link Here

(-)samba-2.2.8a.orig/source/smbd/posix_acls.c (-1 / +1 lines)
2387	num_dir_acls = count_canon_ace_list(dir_ace);	2387	num_dir_acls = count_canon_ace_list(dir_ace);
2388		2388
2389	/* Allocate the ace list. */	2389	/* Allocate the ace list. */
2390	if ((nt_ace_list = (SEC_ACE )malloc((num_acls + num_profile_acls + num_dir_acls) sizeof(SEC_ACE))) == NULL) {	2390	if ((nt_ace_list = (SEC_ACE *)malloc_array((num_acls + num_profile_acls + num_dir_acls), sizeof(SEC_ACE))) == NULL) {
2391	DEBUG(0,("get_nt_acl: Unable to malloc space for nt_ace_list.\n"));	2391	DEBUG(0,("get_nt_acl: Unable to malloc space for nt_ace_list.\n"));
2392	goto done;	2392	goto done;
2393	}	2393	}

Lines 155-161 Link Here

(-)samba-2.2.8a.orig/source/smbd/sec_ctx.c (-2 / +2 lines)
155	goto fail;	155	goto fail;
156	}	156	}
157		157
158	if((groups = (gid_t )malloc(sizeof(gid_t)(ngroups+1))) == NULL) {	158	if((groups = (gid_t *)malloc_array(sizeof(gid_t), (ngroups+1))) == NULL) {
159	DEBUG(0,("setup_groups malloc fail !\n"));	159	DEBUG(0,("setup_groups malloc fail !\n"));
160	goto fail;	160	goto fail;
161	}	161	}
Lines 301-307 Link Here
301	ctx_p->ngroups = sys_getgroups(0, NULL);	301	ctx_p->ngroups = sys_getgroups(0, NULL);
302		302
303	if (ctx_p->ngroups != 0) {	303	if (ctx_p->ngroups != 0) {
304	if (!(ctx_p->groups = malloc(ctx_p->ngroups * sizeof(gid_t)))) {	304	if (!(ctx_p->groups = malloc_array(ctx_p->ngroups, sizeof(gid_t)))) {
305	DEBUG(0, ("Out of memory in push_sec_ctx()\n"));	305	DEBUG(0, ("Out of memory in push_sec_ctx()\n"));
306	delete_nt_token(&ctx_p->token);	306	delete_nt_token(&ctx_p->token);
307	return False;	307	return False;

Lines 395-401 Link Here

(-)samba-2.2.8a.orig/source/smbd/uid.c (-1 / +1 lines)
395		395
396	total_groups = current_n_groups + ptok->num_sids;	396	total_groups = current_n_groups + ptok->num_sids;
397		397
398	final_groups = (gid_t )malloc(total_groups sizeof(gid_t));	398	final_groups = (gid_t *)malloc_array(total_groups, sizeof(gid_t));
399	if (!final_groups) {	399	if (!final_groups) {
400	DEBUG(0,("add_supplementary_nt_login_groups: Failed to malloc new groups.\n"));	400	DEBUG(0,("add_supplementary_nt_login_groups: Failed to malloc new groups.\n"));
401	delete_nt_token(&new_tok);	401	delete_nt_token(&new_tok);

Lines 80-87 Link Here

(-)samba-2.2.8a.orig/source/smbwrapper/smbw_dir.c (-2 / +2 lines)
80	DEBUG(5,("%s\n", finfo->name));	80	DEBUG(5,("%s\n", finfo->name));
81		81
82	if (cur_dir->malloced == cur_dir->count) {	82	if (cur_dir->malloced == cur_dir->count) {
83	cur_dir->list = (struct file_info *)Realloc(cur_dir->list,	83	cur_dir->list = (struct file_info *)realloc_array(cur_dir->list,
84	sizeof(cur_dir->list[0])*	84	sizeof(cur_dir->list[0]),
85	(cur_dir->count+100));	85	(cur_dir->count+100));
86	if (!cur_dir->list) {	86	if (!cur_dir->list) {
87	/* oops */	87	/* oops */

Lines 1749-1754 Link Here

(-)samba-2.2.8a.orig/source/tdb/tdb.c (+8 lines)
1749	tdb->map_size = st.st_size;	1749	tdb->map_size = st.st_size;
1750	tdb->device = st.st_dev;	1750	tdb->device = st.st_dev;
1751	tdb->inode = st.st_ino;	1751	tdb->inode = st.st_ino;
		1752	if(tdb->header.hash_size == INT_MAX \|\| tdb->header.hash_size >= INT_MAX/sizeof(tdb->locked[0]))
		1753	{
		1754	TDB_LOG((tdb, 2, "tdb_open_ex: "
		1755	"integer overflow detected for %s\n",
		1756	name));
		1757	errno = ENOMEM;
		1758	goto fail;
		1759	}
1752	tdb->locked = calloc(tdb->header.hash_size+1, sizeof(tdb->locked[0]));	1760	tdb->locked = calloc(tdb->header.hash_size+1, sizeof(tdb->locked[0]));
1753	if (!tdb->locked) {	1761	if (!tdb->locked) {
1754	TDB_LOG((tdb, 2, "tdb_open_ex: "	1762	TDB_LOG((tdb, 2, "tdb_open_ex: "

Lines 32-38 Link Here

(-)samba-2.2.8a.orig/source/tests/getgroups.c (-1 / +1 lines)
32	if (ngroups <= 0)	32	if (ngroups <= 0)
33	ngroups = 32;	33	ngroups = 32;
34		34
35	igroups = (int )malloc(sizeof(int)ngroups);	35	igroups = (int *)malloc_array(sizeof(int), ngroups);
36		36
37	for (i=0;i<ngroups;i++)	37	for (i=0;i<ngroups;i++)
38	igroups[i] = 0x42424242;	38	igroups[i] = 0x42424242;

Lines 432-438 Link Here

(-)samba-2.2.8a.orig/source/utils/locktest2.c (-1 / +1 lines)
432	ZERO_STRUCT(fnum);	432	ZERO_STRUCT(fnum);
433	ZERO_STRUCT(cli);	433	ZERO_STRUCT(cli);
434		434
435	recorded = (struct record )malloc(sizeof(recorded) * numops);	435	recorded = (struct record )malloc_array(sizeof(recorded), numops);
436		436
437	for (n=0; n<numops; n++) {	437	for (n=0; n<numops; n++) {
438	recorded[n].conn = random() % NCONNECTIONS;	438	recorded[n].conn = random() % NCONNECTIONS;

Lines 376-382 Link Here

(-)samba-2.2.8a.orig/source/utils/locktest.c (-1 / +1 lines)
376	ZERO_STRUCT(fnum);	376	ZERO_STRUCT(fnum);
377	ZERO_STRUCT(cli);	377	ZERO_STRUCT(cli);
378		378
379	recorded = (struct record )malloc(sizeof(recorded) * numops);	379	recorded = (struct record )malloc_array(sizeof(recorded), numops);
380		380
381	for (n=0; n<numops; n++) {	381	for (n=0; n<numops; n++) {
382	#if PRESETS	382	#if PRESETS




  pstring linebuf;
  char *p = *buf;
  int num_lines = 0;
  char *newbuf;
  char *newbuf_p = NULL;

  if(*size == UINT_MAX)
  {
    fprintf(stderr, "%s: size %lu is too big (integer overflow).\n", prog_name, *size);
    exit(1);
  }

  if((newbuf = (char *)malloc( *size + 1)) == NULL)
  {
    fprintf(stderr, "%s: malloc fail for size %d.\n", prog_name, *size + 1);
    exit(1);




  pstring linebuf;
  char *p = *buf;
  size_t num_lines = 0;
  char *newbuf;
  char *newbuf_p = NULL;


  if(*size == UINT_MAX)
  {
    fprintf(stderr, "%s: size %lu is too big (integer overflow).\n", prog_name, *size);
    exit(1);
  }

  if((newbuf = (char *)malloc( *size + 1)) == NULL)
  {
    fprintf(stderr, "%s: malloc fail for size %u.\n", prog_name, (unsigned int)(*size + 1));
    exit(1);
  }

Lines 242-248 Link Here

(-)samba-2.2.8a.orig/source/utils/nsstest.c (-1 / +1 lines)
242	gid_t *groups = NULL;	242	gid_t *groups = NULL;
243	int i;	243	int i;
244		244
245	groups = (gid_t )malloc(size sizeof(gid_t));	245	groups = (gid_t *)malloc_array(size, sizeof(gid_t));
246	groups[0] = gid;	246	groups[0] = gid;
247		247
248	nss_initgroups(name, gid, &groups, &start, &size);	248	nss_initgroups(name, gid, &groups, &start, &size);

Lines 349-355 Link Here

(-)samba-2.2.8a.orig/source/utils/smbcacls.c (-1 / +1 lines)
349	return True;	349	return True;
350	}	350	}
351		351
352	aces = calloc(1+(*the_acl)->num_aces,sizeof(SEC_ACE));	352	aces = calloc_array(1+(*the_acl)->num_aces,sizeof(SEC_ACE));
353	memcpy(aces, (the_acl)->ace, (the_acl)->num_aces * sizeof(SEC_ACE));	353	memcpy(aces, (the_acl)->ace, (the_acl)->num_aces * sizeof(SEC_ACE));
354	memcpy(aces+(*the_acl)->num_aces, ace, sizeof(SEC_ACE));	354	memcpy(aces+(*the_acl)->num_aces, ace, sizeof(SEC_ACE));
355	new = make_sec_acl(ctx,(the_acl)->revision,1+(the_acl)->num_aces, aces);	355	new = make_sec_acl(ctx,(the_acl)->revision,1+(the_acl)->num_aces, aces);




	
		if (i == len) {
			char *ret2;
			if (len == 0)
			{
				len = 1024;
			}
			else
			{
				if(len >= INT_MAX/2)
				{
					if(ret)
						free(ret);
					return NULL;
				}
				len *= 2;
			}
			ret2 = (char *)Realloc(ret, len);
			if (!ret2) return ret;
			ret = ret2;

Return to bug 64119

Lines 444-455 Link Here

(-)samba-2.2.8a.orig/source/include/proto.h (+5 lines)
444		444
445	TALLOC_CTX *talloc_init(void);	445	TALLOC_CTX *talloc_init(void);
446	void talloc(TALLOC_CTX t, size_t size);	446	void talloc(TALLOC_CTX t, size_t size);
		447	void talloc_array(TALLOC_CTX ctx, size_t el_size, unsigned int count);
447	void talloc_realloc(TALLOC_CTX t, void *ptr, size_t size);	448	void talloc_realloc(TALLOC_CTX t, void *ptr, size_t size);
448	void talloc_destroy_pool(TALLOC_CTX *t);	449	void talloc_destroy_pool(TALLOC_CTX *t);
449	void talloc_destroy(TALLOC_CTX *t);	450	void talloc_destroy(TALLOC_CTX *t);
450	size_t talloc_pool_size(TALLOC_CTX *t);	451	size_t talloc_pool_size(TALLOC_CTX *t);
451	const char * talloc_pool_name(TALLOC_CTX const *t);	452	const char * talloc_pool_name(TALLOC_CTX const *t);
452	void talloc_zero(TALLOC_CTX t, size_t size);	453	void talloc_zero(TALLOC_CTX t, size_t size);
		454	void talloc_zero_array(TALLOC_CTX t, size_t el_size, unsigned int count);
453	void talloc_memdup(TALLOC_CTX t, const void *p, size_t size);	455	void talloc_memdup(TALLOC_CTX t, const void *p, size_t size);
454	char talloc_strdup(TALLOC_CTX t, const char *p);	456	char talloc_strdup(TALLOC_CTX t, const char *p);
455	char talloc_describe_all(TALLOC_CTX rt);	457	char talloc_describe_all(TALLOC_CTX rt);
Lines 501-506 Link Here
501		503
502	/* The following definitions come from lib/util.c */	504	/* The following definitions come from lib/util.c */
503		505
		506	void *malloc_array(size_t el_size, unsigned int count);
		507	void *calloc_array(size_t size, size_t nmemb);
		508	void realloc_array(void p,size_t el_size, unsigned int count);
504	const char *tmpdir(void);	509	const char *tmpdir(void);
505	BOOL in_group(gid_t group, gid_t current_gid, int ngroups, gid_t *groups);	510	BOOL in_group(gid_t group, gid_t current_gid, int ngroups, gid_t *groups);
506	const char Atoic(const char p, int n, const char c);	511	const char Atoic(const char p, int n, const char c);

Lines 729-735 Link Here

(-)samba-2.2.8a.orig/source/lib/sysacls.c (-4 / +4 lines)
729	* acl[] array, this actually allocates an ACL with room	729	* acl[] array, this actually allocates an ACL with room
730	* for (count+1) entries	730	* for (count+1) entries
731	*/	731	*/
732	if ((a = malloc(sizeof(a) + count sizeof(struct acl))) == NULL) {	732	if ((a = malloc_array(sizeof(*a) + count, sizeof(struct acl))) == NULL) {
733	errno = ENOMEM;	733	errno = ENOMEM;
734	return NULL;	734	return NULL;
735	}	735	}
Lines 893-899 Link Here
893	* allocate a temporary buffer for the complete ACL	893	* allocate a temporary buffer for the complete ACL
894	*/	894	*/
895	acl_count = acc_acl->count + def_acl->count;	895	acl_count = acc_acl->count + def_acl->count;
896	acl_p = acl_buf = malloc(acl_count * sizeof(acl_buf[0]));	896	acl_p = acl_buf = malloc_array(acl_count, sizeof(acl_buf[0]));
897		897
898	if (acl_buf == NULL) {	898	if (acl_buf == NULL) {
899	sys_acl_free_acl(tmp_acl);	899	sys_acl_free_acl(tmp_acl);
Lines 1355-1361 Link Here
1355	{	1355	{
1356	SMB_ACL_T a;	1356	SMB_ACL_T a;
1357		1357
1358	if (count < 0) {	1358	if (count < 0 \|\| count > INT_MAX-sizeof(*a)) {
1359	errno = EINVAL;	1359	errno = EINVAL;
1360	return NULL;	1360	return NULL;
1361	}	1361	}
Lines 1832-1838 Link Here
1832	* allocate a temporary buffer for the complete ACL	1832	* allocate a temporary buffer for the complete ACL
1833	*/	1833	*/
1834	acl_count = acc_acl->count + def_acl->count;	1834	acl_count = acc_acl->count + def_acl->count;
1835	acl_p = acl_buf = malloc(acl_count * sizeof(acl_buf[0]));	1835	acl_p = acl_buf = malloc_array(acl_count, sizeof(acl_buf[0]));
1836		1836
1837	if (acl_buf == NULL) {	1837	if (acl_buf == NULL) {
1838	sys_acl_free_acl(tmp_acl);	1838	sys_acl_free_acl(tmp_acl);

Lines 674-680 Link Here

(-)samba-2.2.8a.orig/source/lib/system.c (-3 / +3 lines)
674	if (setlen == 0)	674	if (setlen == 0)
675	setlen = groups_max();	675	setlen = groups_max();
676		676
677	if((group_list = (GID_T )malloc(setlen sizeof(GID_T))) == NULL) {	677	if((group_list = (GID_T *)malloc_array(setlen, sizeof(GID_T))) == NULL) {
678	DEBUG(0,("sys_getgroups: Malloc fail.\n"));	678	DEBUG(0,("sys_getgroups: Malloc fail.\n"));
679	return -1;	679	return -1;
680	}	680	}
Lines 723-729 Link Here
723	* GID_T array of size setlen.	723	* GID_T array of size setlen.
724	*/	724	*/
725		725
726	if((group_list = (GID_T )malloc(setlen sizeof(GID_T))) == NULL) {	726	if((group_list = (GID_T *)malloc_array(setlen, sizeof(GID_T))) == NULL) {
727	DEBUG(0,("sys_setgroups: Malloc fail.\n"));	727	DEBUG(0,("sys_setgroups: Malloc fail.\n"));
728	return -1;	728	return -1;
729	}	729	}
Lines 1071-1077 Link Here
1071	for( argcl = 1; ptr; ptr = strtok(NULL, " \t"))	1071	for( argcl = 1; ptr; ptr = strtok(NULL, " \t"))
1072	argcl++;	1072	argcl++;
1073		1073
1074	if((argl = (char *)malloc((argcl + 1) sizeof(char *))) == NULL)	1074	if((argl = (char *)malloc_array((argcl + 1), sizeof(char ))) == NULL)
1075	return NULL;	1075	return NULL;
1076		1076
1077	/*	1077	/*

Lines 179-184 Link Here

(-)samba-2.2.8a.orig/source/lib/talloc.c (+20 lines)
179	return p;	179	return p;
180	}	180	}
181		181
		182	#define MAX_TALLOC_SIZE INT_MAX
		183	void talloc_array(TALLOC_CTX ctx, size_t el_size, unsigned int count)
		184	{
		185	if (count >= MAX_TALLOC_SIZE/el_size) {
		186	return NULL;
		187	}
		188	return talloc(ctx, el_size * count);
		189	}
		190
		191	void talloc_zero_array(TALLOC_CTX t, size_t el_size, unsigned int count)
		192	{
		193	void *p = talloc_array(t, el_size, count);
		194
		195	if (p)
		196	memset(p, '\0', el_size*count);
		197
		198	return p;
		199	}
		200
		201
182	/** A talloc version of realloc */	202	/** A talloc version of realloc */
183	void talloc_realloc(TALLOC_CTX t, void *ptr, size_t size)	203	void talloc_realloc(TALLOC_CTX t, void *ptr, size_t size)
184	{	204	{

Lines 86-91 Link Here

(-)samba-2.2.8a.orig/source/lib/util.c (+41 lines)
86	fstring global_myworkgroup = "";	86	fstring global_myworkgroup = "";
87	char **my_netbios_names;	87	char **my_netbios_names;
88		88
		89	/* a but huge but well... */
		90	#define MAX_ALLOC_SIZE INT_MAX
		91
		92	/****************************************************************************
		93	Type-safe malloc.
		94	****************************************************************************/
		95
		96	void *malloc_array(size_t el_size, unsigned int count)
		97	{
		98	if (count >= MAX_ALLOC_SIZE/el_size) {
		99	return NULL;
		100	}
		101	return malloc(el_size*count);
		102	}
		103
		104	/****************************************************************************
		105	Type-safe calloc.
		106	****************************************************************************/
		107
		108	void *calloc_array(size_t size, size_t nmemb)
		109	{
		110	if (nmemb >= MAX_ALLOC_SIZE/size) {
		111	return NULL;
		112	}
		113	return calloc(nmemb, size);
		114	}
		115
		116	void realloc_array(void p,size_t el_size, unsigned int count)
		117	{
		118	if (count >= MAX_ALLOC_SIZE/el_size) {
		119	return NULL;
		120	}
		121	return Realloc(p,el_size*count);
		122	}
		123
89		124
90	/****************************************************************************	125	/****************************************************************************
91	Find a suitable temporary directory. The result should be copied immediately	126	Find a suitable temporary directory. The result should be copied immediately
Lines 159-164 Link Here
159	while ((p = Atoic(p, &val, ":,")) != NULL && (*p) != ':') {	194	while ((p = Atoic(p, &val, ":,")) != NULL && (*p) != ':') {
160	uint32 *tn;	195	uint32 *tn;
161		196
		197	if((count) == INT_MAX \|\| ((count)+1) >= INT_MAX/sizeof(uint32))
		198	{
		199	DEBUG(0,("get_numlist: integer overflow detected.\n"));
		200	SAFE_FREE(*num);
		201	return NULL;
		202	}
162	tn = Realloc((num), ((count)+1) * sizeof(uint32));	203	tn = Realloc((num), ((count)+1) * sizeof(uint32));
163	if (tn == NULL)	204	if (tn == NULL)
164	{	205	{

Lines 1150-1159 Link Here

(-)samba-2.2.8a.orig/source/lib/util_unistr.c (-4 / +6 lines)
1150		1150
1151	smb_ucs2_t strdup_w(const smb_ucs2_t s)	1151	smb_ucs2_t strdup_w(const smb_ucs2_t s)
1152	{	1152	{
1153	size_t newlen = (strlen_w(s)+1)*sizeof(smb_ucs2_t);	1153	size_t newlen;
1154	smb_ucs2_t newstr = (smb_ucs2_t )malloc(newlen);	1154	smb_ucs2_t newstr = (smb_ucs2_t )malloc_array((strlen_w(s)+1), sizeof(smb_ucs2_t));
		1155
1155	if (newstr == NULL)	1156	if (newstr == NULL)
1156	return NULL;	1157	return NULL;
		1158	newlen = (strlen_w(s)+1)*sizeof(smb_ucs2_t);
1157	safe_strcpy_w(newstr, s, newlen);	1159	safe_strcpy_w(newstr, s, newlen);
1158	return newstr;	1160	return newstr;
1159	}	1161	}
Lines 1382-1388 Link Here
1382	*ctok = ictok;	1384	*ctok = ictok;
1383	s = last_ptr;	1385	s = last_ptr;
1384		1386
1385	if (!(ret=iret=malloc(ictoksizeof(smb_ucs2_t ))))	1387	if (!(ret=iret=malloc_array(ictok, sizeof(smb_ucs2_t *))))
1386	return NULL;	1388	return NULL;
1387		1389
1388	while(ictok--) {	1390	while(ictok--) {
Lines 1870-1876 Link Here
1870	if (l == 0)	1872	if (l == 0)
1871	*dest = null_string;	1873	*dest = null_string;
1872	else {	1874	else {
1873	(dest) = (smb_ucs2_t )malloc(sizeof(smb_ucs2_t)*(l+1));	1875	(dest) = (smb_ucs2_t )malloc_array(sizeof(smb_ucs2_t), (l+1));
1874	if ((*dest) == NULL) {	1876	if ((*dest) == NULL) {
1875	DEBUG(0,("Out of memory in string_init_w\n"));	1877	DEBUG(0,("Out of memory in string_init_w\n"));
1876	return False;	1878	return False;

Lines 282-302 Link Here

(-)samba-2.2.8a.orig/source/libsmb/cli_lsarpc.c (-12 / +12 lines)
282	goto done;	282	goto done;
283	}	283	}
284		284
285	if (!((domains) = (char )talloc(mem_ctx, sizeof(char ) *	285	if (!((domains) = (char )talloc_array(mem_ctx, sizeof(char ),
286	num_sids))) {	286	num_sids))) {
287	DEBUG(0, ("cli_lsa_lookup_sids(): out of memory\n"));	287	DEBUG(0, ("cli_lsa_lookup_sids(): out of memory\n"));
288	result = NT_STATUS_UNSUCCESSFUL;	288	result = NT_STATUS_UNSUCCESSFUL;
289	goto done;	289	goto done;
290	}	290	}
291		291
292	if (!((names) = (char )talloc(mem_ctx, sizeof(char ) *	292	if (!((names) = (char )talloc_array(mem_ctx, sizeof(char ),
293	num_sids))) {	293	num_sids))) {
294	DEBUG(0, ("cli_lsa_lookup_sids(): out of memory\n"));	294	DEBUG(0, ("cli_lsa_lookup_sids(): out of memory\n"));
295	result = NT_STATUS_UNSUCCESSFUL;	295	result = NT_STATUS_UNSUCCESSFUL;
296	goto done;	296	goto done;
297	}	297	}
298		298
299	if (!((types) = (uint32 )talloc(mem_ctx, sizeof(uint32) *	299	if (!((types) = (uint32 )talloc_array(mem_ctx, sizeof(uint32),
300	num_sids))) {	300	num_sids))) {
301	DEBUG(0, ("cli_lsa_lookup_sids(): out of memory\n"));	301	DEBUG(0, ("cli_lsa_lookup_sids(): out of memory\n"));
302	result = NT_STATUS_UNSUCCESSFUL;	302	result = NT_STATUS_UNSUCCESSFUL;
Lines 400-413 Link Here
400	goto done;	400	goto done;
401	}	401	}
402		402
403	if (!((sids = (DOM_SID )talloc(mem_ctx, sizeof(DOM_SID) *	403	if (!((sids = (DOM_SID )talloc_array(mem_ctx, sizeof(DOM_SID),
404	num_names)))) {	404	num_names)))) {
405	DEBUG(0, ("cli_lsa_lookup_sids(): out of memory\n"));	405	DEBUG(0, ("cli_lsa_lookup_sids(): out of memory\n"));
406	result = NT_STATUS_UNSUCCESSFUL;	406	result = NT_STATUS_UNSUCCESSFUL;
407	goto done;	407	goto done;
408	}	408	}
409		409
410	if (!((types = (uint32 )talloc(mem_ctx, sizeof(uint32) *	410	if (!((types = (uint32 )talloc_array(mem_ctx, sizeof(uint32),
411	num_names)))) {	411	num_names)))) {
412	DEBUG(0, ("cli_lsa_lookup_sids(): out of memory\n"));	412	DEBUG(0, ("cli_lsa_lookup_sids(): out of memory\n"));
413	result = NT_STATUS_UNSUCCESSFUL;	413	result = NT_STATUS_UNSUCCESSFUL;
Lines 589-595 Link Here
589		589
590	/* Allocate memory for trusted domain names and sids */	590	/* Allocate memory for trusted domain names and sids */
591		591
592	domain_names = (char )talloc(mem_ctx, sizeof(char ) *	592	domain_names = (char )talloc_array(mem_ctx, sizeof(char ),
593	r.num_domains);	593	r.num_domains);
594		594
595	if (!*domain_names) {	595	if (!*domain_names) {
Lines 598-604 Link Here
598	goto done;	598	goto done;
599	}	599	}
600		600
601	domain_sids = (DOM_SID )talloc(mem_ctx, sizeof(DOM_SID) *	601	domain_sids = (DOM_SID )talloc_array(mem_ctx, sizeof(DOM_SID),
602	r.num_domains);	602	r.num_domains);
603	if (!domain_sids) {	603	if (!domain_sids) {
604	DEBUG(0, ("cli_lsa_enum_trust_dom(): out of memory\n"));	604	DEBUG(0, ("cli_lsa_enum_trust_dom(): out of memory\n"));
Lines 674-692 Link Here
674	*enum_context = r.enum_context;	674	*enum_context = r.enum_context;
675	*count = r.count;	675	*count = r.count;
676		676
677	if (!((privs_name = (char )talloc(mem_ctx, sizeof(char ) * r.count)))) {	677	if (!((privs_name = (char )talloc_array(mem_ctx, sizeof(char ), r.count)))) {
678	DEBUG(0, ("(cli_lsa_enum_privilege): out of memory\n"));	678	DEBUG(0, ("(cli_lsa_enum_privilege): out of memory\n"));
679	result = NT_STATUS_UNSUCCESSFUL;	679	result = NT_STATUS_UNSUCCESSFUL;
680	goto done;	680	goto done;
681	}	681	}
682		682
683	if (!((privs_high = (uint32 )talloc(mem_ctx, sizeof(uint32) * r.count)))) {	683	if (!((privs_high = (uint32 )talloc_array(mem_ctx, sizeof(uint32), r.count)))) {
684	DEBUG(0, ("(cli_lsa_enum_privilege): out of memory\n"));	684	DEBUG(0, ("(cli_lsa_enum_privilege): out of memory\n"));
685	result = NT_STATUS_UNSUCCESSFUL;	685	result = NT_STATUS_UNSUCCESSFUL;
686	goto done;	686	goto done;
687	}	687	}
688		688
689	if (!((privs_low = (uint32 )talloc(mem_ctx, sizeof(uint32) * r.count)))) {	689	if (!((privs_low = (uint32 )talloc_array(mem_ctx, sizeof(uint32), r.count)))) {
690	DEBUG(0, ("(cli_lsa_enum_privilege): out of memory\n"));	690	DEBUG(0, ("(cli_lsa_enum_privilege): out of memory\n"));
691	result = NT_STATUS_UNSUCCESSFUL;	691	result = NT_STATUS_UNSUCCESSFUL;
692	goto done;	692	goto done;
Lines 810-816 Link Here
810		810
811	/* Return output parameters */	811	/* Return output parameters */
812		812
813	sids = (DOM_SID )talloc(mem_ctx, sizeof(DOM_SID) * r.sids.num_entries);	813	sids = (DOM_SID )talloc_array(mem_ctx, sizeof(DOM_SID), r.sids.num_entries);
814	if (!*sids) {	814	if (!*sids) {
815	DEBUG(0, ("(cli_lsa_enum_sids): out of memory\n"));	815	DEBUG(0, ("(cli_lsa_enum_sids): out of memory\n"));
816	result = NT_STATUS_UNSUCCESSFUL;	816	result = NT_STATUS_UNSUCCESSFUL;
Lines 935-941 Link Here
935	if (r.count == 0)	935	if (r.count == 0)
936	goto done;	936	goto done;
937		937
938	if (!((set = (LUID_ATTR )talloc(mem_ctx, sizeof(LUID_ATTR) * r.count)))) {	938	if (!((set = (LUID_ATTR )talloc_array(mem_ctx, sizeof(LUID_ATTR), r.count)))) {
939	DEBUG(0, ("(cli_lsa_enum_privsaccount): out of memory\n"));	939	DEBUG(0, ("(cli_lsa_enum_privsaccount): out of memory\n"));
940	result = NT_STATUS_UNSUCCESSFUL;	940	result = NT_STATUS_UNSUCCESSFUL;
941	goto done;	941	goto done;

Lines 552-558 Link Here

(-)samba-2.2.8a.orig/source/libsmb/cli_samr.c (-7 / +7 lines)
552	*num_dom_groups = r.num_entries2;	552	*num_dom_groups = r.num_entries2;
553		553
554	if (!((dom_groups) = (struct acct_info )	554	if (!((dom_groups) = (struct acct_info )
555	talloc(mem_ctx, sizeof(struct acct_info) * *num_dom_groups))) {	555	talloc_array(mem_ctx, sizeof(struct acct_info), *num_dom_groups))) {
556	result = NT_STATUS_UNSUCCESSFUL;	556	result = NT_STATUS_UNSUCCESSFUL;
557	goto done;	557	goto done;
558	}	558	}
Lines 630-636 Link Here
630	*num_dom_groups = r.num_entries2;	630	*num_dom_groups = r.num_entries2;
631		631
632	if (!((dom_groups) = (struct acct_info )	632	if (!((dom_groups) = (struct acct_info )
633	talloc(mem_ctx, sizeof(struct acct_info) * *num_dom_groups))) {	633	talloc_array(mem_ctx, sizeof(struct acct_info), *num_dom_groups))) {
634	result = NT_STATUS_UNSUCCESSFUL;	634	result = NT_STATUS_UNSUCCESSFUL;
635	goto done;	635	goto done;
636	}	636	}
Lines 703-709 Link Here
703		703
704	*num_mem = r.num_sids;	704	*num_mem = r.num_sids;
705		705
706	if (!(sids = talloc(mem_ctx, sizeof(DOM_SID) *num_mem))) {	706	if (!(sids = talloc_array(mem_ctx, sizeof(DOM_SID), num_mem))) {
707	result = NT_STATUS_UNSUCCESSFUL;	707	result = NT_STATUS_UNSUCCESSFUL;
708	goto done;	708	goto done;
709	}	709	}
Lines 972-979 Link Here
972	}	972	}
973		973
974	*num_names = r.num_names1;	974	*num_names = r.num_names1;
975	names = talloc(mem_ctx, sizeof(char ) * r.num_names1);	975	names = talloc_array(mem_ctx, sizeof(char ), r.num_names1);
976	name_types = talloc(mem_ctx, sizeof(uint32) r.num_names1);	976	*name_types = talloc_array(mem_ctx, sizeof(uint32), r.num_names1);
977		977
978	for (i = 0; i < r.num_names1; i++) {	978	for (i = 0; i < r.num_names1; i++) {
979	fstring tmp;	979	fstring tmp;
Lines 1040-1047 Link Here
1040	}	1040	}
1041		1041
1042	*num_rids = r.num_rids1;	1042	*num_rids = r.num_rids1;
1043	rids = talloc(mem_ctx, sizeof(uint32) r.num_rids1);	1043	*rids = talloc_array(mem_ctx, sizeof(uint32), r.num_rids1);
1044	rid_types = talloc(mem_ctx, sizeof(uint32) r.num_rids1);	1044	*rid_types = talloc_array(mem_ctx, sizeof(uint32), r.num_rids1);
1045		1045
1046	for (i = 0; i < r.num_rids1; i++) {	1046	for (i = 0; i < r.num_rids1; i++) {
1047	(*rids)[i] = r.rids[i];	1047	(*rids)[i] = r.rids[i];

Lines 70-76 Link Here

(-)samba-2.2.8a.orig/source/libsmb/cli_spoolss.c (-10 / +10 lines)
70	uint32 i;	70	uint32 i;
71	PRINTER_INFO_0 *inf;	71	PRINTER_INFO_0 *inf;
72		72
73	inf=(PRINTER_INFO_0 )talloc(mem_ctx, returnedsizeof(PRINTER_INFO_0));	73	inf=(PRINTER_INFO_0 *)talloc_array(mem_ctx, returned, sizeof(PRINTER_INFO_0));
74		74
75	buffer->prs.data_offset=0;	75	buffer->prs.data_offset=0;
76		76
Lines 89-95 Link Here
89	uint32 i;	89	uint32 i;
90	PRINTER_INFO_1 *inf;	90	PRINTER_INFO_1 *inf;
91		91
92	inf=(PRINTER_INFO_1 )talloc(mem_ctx, returnedsizeof(PRINTER_INFO_1));	92	inf=(PRINTER_INFO_1 *)talloc_array(mem_ctx, returned, sizeof(PRINTER_INFO_1));
93		93
94	buffer->prs.data_offset=0;	94	buffer->prs.data_offset=0;
95		95
Lines 108-114 Link Here
108	uint32 i;	108	uint32 i;
109	PRINTER_INFO_2 *inf;	109	PRINTER_INFO_2 *inf;
110		110
111	inf=(PRINTER_INFO_2 )talloc(mem_ctx, returnedsizeof(PRINTER_INFO_2));	111	inf=(PRINTER_INFO_2 *)talloc_array(mem_ctx, returned, sizeof(PRINTER_INFO_2));
112		112
113	buffer->prs.data_offset=0;	113	buffer->prs.data_offset=0;
114		114
Lines 129-135 Link Here
129	uint32 i;	129	uint32 i;
130	PRINTER_INFO_3 *inf;	130	PRINTER_INFO_3 *inf;
131		131
132	inf=(PRINTER_INFO_3 )talloc(mem_ctx, returnedsizeof(PRINTER_INFO_3));	132	inf=(PRINTER_INFO_3 *)talloc_array(mem_ctx, returned, sizeof(PRINTER_INFO_3));
133		133
134	buffer->prs.data_offset=0;	134	buffer->prs.data_offset=0;
135		135
Lines 149-155 Link Here
149	uint32 i;	149	uint32 i;
150	PORT_INFO_1 *inf;	150	PORT_INFO_1 *inf;
151		151
152	inf=(PORT_INFO_1)talloc(mem_ctx, returnedsizeof(PORT_INFO_1));	152	inf=(PORT_INFO_1*)talloc_array(mem_ctx, returned, sizeof(PORT_INFO_1));
153		153
154	prs_set_offset(&buffer->prs, 0);	154	prs_set_offset(&buffer->prs, 0);
155		155
Lines 168-174 Link Here
168	uint32 i;	168	uint32 i;
169	PORT_INFO_2 *inf;	169	PORT_INFO_2 *inf;
170		170
171	inf=(PORT_INFO_2)talloc(mem_ctx, returnedsizeof(PORT_INFO_2));	171	inf=(PORT_INFO_2*)talloc_array(mem_ctx, returned, sizeof(PORT_INFO_2));
172		172
173	prs_set_offset(&buffer->prs, 0);	173	prs_set_offset(&buffer->prs, 0);
174		174
Lines 187-193 Link Here
187	uint32 i;	187	uint32 i;
188	DRIVER_INFO_1 *inf;	188	DRIVER_INFO_1 *inf;
189		189
190	inf=(DRIVER_INFO_1 )talloc(mem_ctx, returnedsizeof(DRIVER_INFO_1));	190	inf=(DRIVER_INFO_1 *)talloc_array(mem_ctx, returned, sizeof(DRIVER_INFO_1));
191		191
192	buffer->prs.data_offset=0;	192	buffer->prs.data_offset=0;
193		193
Lines 206-212 Link Here
206	uint32 i;	206	uint32 i;
207	DRIVER_INFO_2 *inf;	207	DRIVER_INFO_2 *inf;
208		208
209	inf=(DRIVER_INFO_2 )talloc(mem_ctx, returnedsizeof(DRIVER_INFO_2));	209	inf=(DRIVER_INFO_2 *)talloc_array(mem_ctx, returned, sizeof(DRIVER_INFO_2));
210		210
211	buffer->prs.data_offset=0;	211	buffer->prs.data_offset=0;
212		212
Lines 225-231 Link Here
225	uint32 i;	225	uint32 i;
226	DRIVER_INFO_3 *inf;	226	DRIVER_INFO_3 *inf;
227		227
228	inf=(DRIVER_INFO_3 )talloc(mem_ctx, returnedsizeof(DRIVER_INFO_3));	228	inf=(DRIVER_INFO_3 *)talloc_array(mem_ctx, returned, sizeof(DRIVER_INFO_3));
229		229
230	buffer->prs.data_offset=0;	230	buffer->prs.data_offset=0;
231		231
Lines 1415-1421 Link Here
1415	{	1415	{
1416	int i;	1416	int i;
1417		1417
1418	forms = (FORM_1 )talloc(mem_ctx, num_forms * sizeof(FORM_1));	1418	forms = (FORM_1 )talloc_array(mem_ctx, num_forms, sizeof(FORM_1));
1419	buffer->prs.data_offset = 0;	1419	buffer->prs.data_offset = 0;
1420		1420
1421	for (i = 0; i < num_forms; i++)	1421	for (i = 0; i < num_forms; i++)

Lines 335-341 Link Here

(-)samba-2.2.8a.orig/source/libsmb/nmblib.c (-4 / +4 lines)
335	struct res_rec **recs, int count)	335	struct res_rec **recs, int count)
336	{	336	{
337	int i;	337	int i;
338	recs = (struct res_rec )malloc(sizeof(*recs)count);	338	recs = (struct res_rec )malloc_array(sizeof(**recs), count);
339	if (!*recs) return(False);	339	if (!*recs) return(False);
340		340
341	memset((char )recs,'\0',sizeof(*recs)count);	341	memset((char )recs,'\0',sizeof(*recs)count);
Lines 551-557 Link Here
551	if (nmb->answers)	551	if (nmb->answers)
552	{	552	{
553	if((copy_nmb->answers = (struct res_rec *)	553	if((copy_nmb->answers = (struct res_rec *)
554	malloc(nmb->header.ancount * sizeof(struct res_rec))) == NULL)	554	malloc_array(nmb->header.ancount, sizeof(struct res_rec))) == NULL)
555	goto free_and_exit;	555	goto free_and_exit;
556	memcpy((char )copy_nmb->answers, (char )nmb->answers,	556	memcpy((char )copy_nmb->answers, (char )nmb->answers,
557	nmb->header.ancount * sizeof(struct res_rec));	557	nmb->header.ancount * sizeof(struct res_rec));
Lines 559-565 Link Here
559	if (nmb->nsrecs)	559	if (nmb->nsrecs)
560	{	560	{
561	if((copy_nmb->nsrecs = (struct res_rec *)	561	if((copy_nmb->nsrecs = (struct res_rec *)
562	malloc(nmb->header.nscount * sizeof(struct res_rec))) == NULL)	562	malloc_array(nmb->header.nscount, sizeof(struct res_rec))) == NULL)
563	goto free_and_exit;	563	goto free_and_exit;
564	memcpy((char )copy_nmb->nsrecs, (char )nmb->nsrecs,	564	memcpy((char )copy_nmb->nsrecs, (char )nmb->nsrecs,
565	nmb->header.nscount * sizeof(struct res_rec));	565	nmb->header.nscount * sizeof(struct res_rec));
Lines 567-573 Link Here
567	if (nmb->additional)	567	if (nmb->additional)
568	{	568	{
569	if((copy_nmb->additional = (struct res_rec *)	569	if((copy_nmb->additional = (struct res_rec *)
570	malloc(nmb->header.arcount * sizeof(struct res_rec))) == NULL)	570	malloc_array(nmb->header.arcount, sizeof(struct res_rec))) == NULL)
571	goto free_and_exit;	571	goto free_and_exit;
572	memcpy((char )copy_nmb->additional, (char )nmb->additional,	572	memcpy((char )copy_nmb->additional, (char )nmb->additional,
573	nmb->header.arcount * sizeof(struct res_rec));	573	nmb->header.arcount * sizeof(struct res_rec));

Lines 195-202 Link Here

(-)samba-2.2.8a.orig/source/nmbd/nmbd_namelistdb.c (-5 / +5 lines)
195	}	195	}
196		196
197	memset( (char )namerec, '\0', sizeof(namerec) );	197	memset( (char )namerec, '\0', sizeof(namerec) );
198	namerec->data.ip = (struct in_addr *)malloc( sizeof(struct in_addr)	198	namerec->data.ip = (struct in_addr *)malloc_array( sizeof(struct in_addr),
199	* num_ips );	199	num_ips );
200	if( NULL == namerec->data.ip )	200	if( NULL == namerec->data.ip )
201	{	201	{
202	DEBUG( 0, ( "add_name_to_subnet: malloc fail when creating ip_flgs.\n" ) );	202	DEBUG( 0, ( "add_name_to_subnet: malloc fail when creating ip_flgs.\n" ) );
Lines 336-343 Link Here
336	if( find_ip_in_name_record( namerec, new_ip ) )	336	if( find_ip_in_name_record( namerec, new_ip ) )
337	return;	337	return;
338		338
339	new_list = (struct in_addr *)malloc( (namerec->data.num_ips + 1)	339	new_list = (struct in_addr *)malloc_array( (namerec->data.num_ips + 1),
340	* sizeof(struct in_addr) );	340	sizeof(struct in_addr) );
341	if( NULL == new_list )	341	if( NULL == new_list )
342	{	342	{
343	DEBUG(0,("add_ip_to_name_record: Malloc fail !\n"));	343	DEBUG(0,("add_ip_to_name_record: Malloc fail !\n"));
Lines 492-498 Link Here
492	/* Create an IP list containing all our known subnets. */	492	/* Create an IP list containing all our known subnets. */
493		493
494	num_ips = iface_count();	494	num_ips = iface_count();
495	iplist = (struct in_addr )malloc( num_ips sizeof(struct in_addr) );	495	iplist = (struct in_addr *)malloc_array( num_ips, sizeof(struct in_addr) );
496	if( NULL == iplist )	496	if( NULL == iplist )
497	{	497	{
498	DEBUG(0,("add_samba_names_to_subnet: Malloc fail !\n"));	498	DEBUG(0,("add_samba_names_to_subnet: Malloc fail !\n"));

Lines 272-278 Link Here

(-)samba-2.2.8a.orig/source/nmbd/nmbd_winsserver.c (-3 / +3 lines)
272	}	272	}
273		273
274	/* Allocate the space for the ip_list. */	274	/* Allocate the space for the ip_list. */
275	if((ip_list = (struct in_addr )malloc( num_ips sizeof(struct in_addr))) == NULL)	275	if((ip_list = (struct in_addr *)malloc_array( num_ips, sizeof(struct in_addr))) == NULL)
276	{	276	{
277	DEBUG(0,("initialise_wins: Malloc fail !\n"));	277	DEBUG(0,("initialise_wins: Malloc fail !\n"));
278	return False;	278	return False;
Lines 1237-1243 Link Here
1237	return;	1237	return;
1238	}	1238	}
1239		1239
1240	if((prdata = (char )malloc( num_ips 6 )) == NULL)	1240	if((prdata = (char *)malloc_array( num_ips, 6 )) == NULL)
1241	{	1241	{
1242	DEBUG(0,("process_wins_dmb_query_request: Malloc fail !.\n"));	1242	DEBUG(0,("process_wins_dmb_query_request: Malloc fail !.\n"));
1243	return;	1243	return;
Lines 1309-1315 Link Here
1309	prdata = rdata;	1309	prdata = rdata;
1310	else	1310	else
1311	{	1311	{
1312	if((prdata = (char )malloc( namerec->data.num_ips 6 )) == NULL)	1312	if((prdata = (char *)malloc_array( namerec->data.num_ips, 6 )) == NULL)
1313	{	1313	{
1314	DEBUG(0,("send_wins_name_query_response: malloc fail !\n"));	1314	DEBUG(0,("send_wins_name_query_response: malloc fail !\n"));
1315	return;	1315	return;

Lines 431-437 Link Here

(-)samba-2.2.8a.orig/source/nsswitch/winbindd_group.c (-3 / +3 lines)
431	/* Copy entries into return buffer */	431	/* Copy entries into return buffer */
432		432
433	if (num_entries) {	433	if (num_entries) {
434	name_list = malloc(sizeof(struct acct_info) * num_entries);	434	name_list = malloc_array(sizeof(struct acct_info), num_entries);
435	memcpy(name_list, sam_grp_entries,	435	memcpy(name_list, sam_grp_entries,
436	num_entries * sizeof(struct acct_info));	436	num_entries * sizeof(struct acct_info));
437	}	437	}
Lines 477-483 Link Here
477	num_groups = MIN(MAX_GETGRENT_GROUPS, state->request.data.num_entries);	477	num_groups = MIN(MAX_GETGRENT_GROUPS, state->request.data.num_entries);
478		478
479	if ((state->response.extra_data =	479	if ((state->response.extra_data =
480	malloc(num_groups * sizeof(struct winbindd_gr))) == NULL)	480	malloc_array(num_groups, sizeof(struct winbindd_gr))) == NULL)
481	return WINBINDD_ERROR;	481	return WINBINDD_ERROR;
482		482
483	state->response.data.num_entries = 0;	483	state->response.data.num_entries = 0;
Lines 830-836 Link Here
830	/* Copy data back to client */	830	/* Copy data back to client */
831		831
832	num_gids = 0;	832	num_gids = 0;
833	gid_list = malloc(sizeof(gid_t) * num_groups);	833	gid_list = malloc_array(sizeof(gid_t), num_groups);
834		834
835	if (state->response.extra_data)	835	if (state->response.extra_data)
836	goto done;	836	goto done;

Lines 192-198 Link Here

(-)samba-2.2.8a.orig/source/nsswitch/winbindd_rpc.c (-3 / +12 lines)
192	talloc_destroy(mem_ctx2);	192	talloc_destroy(mem_ctx2);
193	break;	193	break;
194	}	194	}
195		195	if(
		196	(*num_entries) >= INT_MAX-count \|\|
		197	sizeof(*info) >= INT_MAX/(num_entries)
		198	)
		199	{
		200	DEBUG(0,("enum_dom_groups: integer overflow detected.\n"));
		201	talloc_destroy(mem_ctx2);
		202	cli_samr_close(hnd->cli, mem_ctx, &dom_pol);
		203	return NT_STATUS_NO_MEMORY;
		204	}
196	(info) = talloc_realloc(mem_ctx, info,	205	(info) = talloc_realloc(mem_ctx, info,
197	sizeof(*info) ((*num_entries) + count));	206	sizeof(*info) ((*num_entries) + count));
198	if (! *info) {	207	if (! *info) {
Lines 500-507 Link Here
500		509
501	#define MAX_LOOKUP_RIDS 900	510	#define MAX_LOOKUP_RIDS 900
502		511
503	names = talloc_zero(mem_ctx, num_names * sizeof(char *));	512	names = talloc_zero_array(mem_ctx, num_names, sizeof(char *));
504	name_types = talloc_zero(mem_ctx, num_names * sizeof(uint32));	513	name_types = talloc_zero_array(mem_ctx, num_names, sizeof(uint32));
505		514
506	for (i = 0; i < *num_names; i += MAX_LOOKUP_RIDS) {	515	for (i = 0; i < *num_names; i += MAX_LOOKUP_RIDS) {
507	int num_lookup_rids = MIN(*num_names - i, MAX_LOOKUP_RIDS);	516	int num_lookup_rids = MIN(*num_names - i, MAX_LOOKUP_RIDS);

Lines 65-71 Link Here

(-)samba-2.2.8a.orig/source/popt/popt.c (-7 / +7 lines)
65	con->execs = NULL;	65	con->execs = NULL;
66	con->numExecs = 0;	66	con->numExecs = 0;
67	con->finalArgvAlloced = argc * 2;	67	con->finalArgvAlloced = argc * 2;
68	con->finalArgv = calloc( con->finalArgvAlloced, sizeof(*con->finalArgv) );	68	con->finalArgv = calloc_array( con->finalArgvAlloced, sizeof(*con->finalArgv) );
69	con->execAbsolute = 1;	69	con->execAbsolute = 1;
70	con->arg_strip = NULL;	70	con->arg_strip = NULL;
71		71
Lines 158-165 Link Here
158	time 'round */	158	time 'round */
159	if ((con->finalArgvCount + 1) >= (con->finalArgvAlloced)) {	159	if ((con->finalArgvCount + 1) >= (con->finalArgvAlloced)) {
160	con->finalArgvAlloced += 10;	160	con->finalArgvAlloced += 10;
161	con->finalArgv = realloc(con->finalArgv,	161	con->finalArgv = realloc_array(con->finalArgv,
162	sizeof(con->finalArgv) con->finalArgvAlloced);	162	sizeof(*con->finalArgv), con->finalArgvAlloced);
163	}	163	}
164		164
165	i = con->finalArgvCount++;	165	i = con->finalArgvCount++;
Lines 221-227 Link Here
221	int pos = 0;	221	int pos = 0;
222	const char * script = con->doExec->script;	222	const char * script = con->doExec->script;
223		223
224	argv = malloc(sizeof(argv)	224	argv = malloc_array(sizeof(*argv),
225	(6 + con->numLeftovers + con->finalArgvCount));	225	(6 + con->numLeftovers + con->finalArgvCount));
226		226
227	if (!con->execAbsolute && strchr(script, '/')) return;	227	if (!con->execAbsolute && strchr(script, '/')) return;
Lines 677-686 Link Here
677		677
678	/* SunOS won't realloc(NULL, ...) */	678	/* SunOS won't realloc(NULL, ...) */
679	if (!con->aliases)	679	if (!con->aliases)
680	con->aliases = malloc(sizeof(newAlias) * con->numAliases);	680	con->aliases = malloc_array(sizeof(newAlias), con->numAliases);
681	else	681	else
682	con->aliases = realloc(con->aliases,	682	con->aliases = realloc_array(con->aliases,
683	sizeof(newAlias) * con->numAliases);	683	sizeof(newAlias), con->numAliases);
684	alias = con->aliases + aliasNum;	684	alias = con->aliases + aliasNum;
685		685
686	alias->longName = (newAlias.longName)	686	alias->longName = (newAlias.longName)

Lines 448-454 Link Here

(-)samba-2.2.8a.orig/source/printing/nt_printing.c (-8 / +8 lines)
448	SAFE_FREE(dbuf.dptr);	448	SAFE_FREE(dbuf.dptr);
449	if (ret != dbuf.dsize) continue;	449	if (ret != dbuf.dsize) continue;
450		450
451	tl = Realloc(list, sizeof(nt_forms_struct)(n+1));	451	tl = realloc_array(*list, sizeof(nt_forms_struct), (n+1));
452	if (!tl) {	452	if (!tl) {
453	DEBUG(0,("get_ntforms: Realloc fail.\n"));	453	DEBUG(0,("get_ntforms: Realloc fail.\n"));
454	return 0;	454	return 0;
Lines 519-525 Link Here
519	}	519	}
520		520
521	if (update==False) {	521	if (update==False) {
522	if((tl=Realloc(list, (n+1)sizeof(nt_forms_struct))) == NULL) {	522	if((tl=realloc_array(*list, (n+1), sizeof(nt_forms_struct))) == NULL) {
523	DEBUG(0,("add_a_form: failed to enlarge forms list!\n"));	523	DEBUG(0,("add_a_form: failed to enlarge forms list!\n"));
524	return False;	524	return False;
525	}	525	}
Lines 627-633 Link Here
627	newkey = tdb_nextkey(tdb_drivers, kbuf), safe_free(kbuf.dptr), kbuf=newkey) {	627	newkey = tdb_nextkey(tdb_drivers, kbuf), safe_free(kbuf.dptr), kbuf=newkey) {
628	if (strncmp(kbuf.dptr, key, strlen(key)) != 0) continue;	628	if (strncmp(kbuf.dptr, key, strlen(key)) != 0) continue;
629		629
630	if((fl = Realloc(list, sizeof(fstring)(total+1))) == NULL) {	630	if((fl = realloc_array(*list, sizeof(fstring), (total+1))) == NULL) {
631	DEBUG(0,("get_ntdrivers: failed to enlarge list!\n"));	631	DEBUG(0,("get_ntdrivers: failed to enlarge list!\n"));
632	return -1;	632	return -1;
633	}	633	}
Lines 1744-1750 Link Here
1744	fstrcpy(info.configfile, "");	1744	fstrcpy(info.configfile, "");
1745	fstrcpy(info.helpfile, "");	1745	fstrcpy(info.helpfile, "");
1746		1746
1747	if ((info.dependentfiles=(fstring )malloc(2sizeof(fstring))) == NULL)	1747	if ((info.dependentfiles=(fstring *)malloc_array(2, sizeof(fstring))) == NULL)
1748	return WERR_NOMEM;	1748	return WERR_NOMEM;
1749		1749
1750	memset(info.dependentfiles, '\0', 2*sizeof(fstring));	1750	memset(info.dependentfiles, '\0', 2*sizeof(fstring));
Lines 1796-1803 Link Here
1796	while (len < dbuf.dsize) {	1796	while (len < dbuf.dsize) {
1797	fstring *tddfs;	1797	fstring *tddfs;
1798		1798
1799	tddfs = (fstring *)Realloc(driver.dependentfiles,	1799	tddfs = (fstring *)realloc_array(driver.dependentfiles,
1800	sizeof(fstring)*(i+2));	1800	sizeof(fstring), (i+2));
1801	if (tddfs == NULL) {	1801	if (tddfs == NULL) {
1802	DEBUG(0,("get_a_printer_driver_3: failed to enlarge buffer!\n"));	1802	DEBUG(0,("get_a_printer_driver_3: failed to enlarge buffer!\n"));
1803	break;	1803	break;
Lines 3598-3604 Link Here
3598	/* exited because it exist */	3598	/* exited because it exist */
3599	*type=param->type;	3599	*type=param->type;
3600	StrnCpy(value, param->value, sizeof(fstring)-1);	3600	StrnCpy(value, param->value, sizeof(fstring)-1);
3601	data=(uint8 )malloc(param->data_len*sizeof(uint8));	3601	data=(uint8 )malloc_array(param->data_len, sizeof(uint8));
3602	if(*data == NULL)	3602	if(*data == NULL)
3603	return False;	3603	return False;
3604	ZERO_STRUCTP(*data);	3604	ZERO_STRUCTP(*data);
Lines 3638-3644 Link Here
3638	/* exited because it exist */	3638	/* exited because it exist */
3639	*type=param->type;	3639	*type=param->type;
3640		3640
3641	data=(uint8 )malloc(param->data_len*sizeof(uint8));	3641	data=(uint8 )malloc_array(param->data_len, sizeof(uint8));
3642	if(*data == NULL)	3642	if(*data == NULL)
3643	return False;	3643	return False;
3644	memcpy(*data, param->data, param->data_len);	3644	memcpy(*data, param->data, param->data_len);

Lines 824-830 Link Here

(-)samba-2.2.8a.orig/source/rpc_parse/parse_net.c (-9 / +9 lines)
824	;	824	;
825		825
826	/* Now allocate space for them. */	826	/* Now allocate space for them. */
827	ppsids = (DOM_SID2 )talloc_zero(ctx, count * sizeof(DOM_SID2));	827	ppsids = (DOM_SID2 )talloc_zero_array(ctx, count, sizeof(DOM_SID2));
828	if (*ppsids == NULL)	828	if (*ppsids == NULL)
829	return 0;	829	return 0;
830		830
Lines 1291-1297 Link Here
1291	/* always have at least one group == the user's primary group */	1291	/* always have at least one group == the user's primary group */
1292	usr->num_groups2 = num_groups+1;	1292	usr->num_groups2 = num_groups+1;
1293		1293
1294	usr->gids = (DOM_GID )talloc_zero(ctx,sizeof(DOM_GID) (num_groups+1));	1294	usr->gids = (DOM_GID *)talloc_zero_array(ctx,sizeof(DOM_GID), (num_groups+1));
1295	if (usr->gids == NULL)	1295	if (usr->gids == NULL)
1296	return;	1296	return;
1297		1297
Lines 2130-2136 Link Here
2130	return False;	2130	return False;
2131	}	2131	}
2132		2132
2133	info->rids = talloc(ps->mem_ctx, sizeof(uint32) *	2133	info->rids = talloc_array(ps->mem_ctx, sizeof(uint32),
2134	info->num_members2);	2134	info->num_members2);
2135		2135
2136	if (info->rids == NULL) {	2136	if (info->rids == NULL) {
Lines 2245-2251 Link Here
2245	return False;	2245	return False;
2246	}	2246	}
2247		2247
2248	info->ptr_sids = talloc(ps->mem_ctx, sizeof(uint32) *	2248	info->ptr_sids = talloc_array(ps->mem_ctx, sizeof(uint32),
2249	info->num_sids);	2249	info->num_sids);
2250		2250
2251	if (info->ptr_sids == NULL) {	2251	if (info->ptr_sids == NULL) {
Lines 2261-2267 Link Here
2261	return False;	2261	return False;
2262	}	2262	}
2263		2263
2264	info->sids = talloc(ps->mem_ctx, sizeof(DOM_SID2) *	2264	info->sids = talloc_array(ps->mem_ctx, sizeof(DOM_SID2),
2265	info->num_sids);	2265	info->num_sids);
2266		2266
2267	if (info->sids == NULL) {	2267	if (info->sids == NULL) {
Lines 2403-2409 Link Here
2403		2403
2404	if (r_s->num_deltas2 > 0) {	2404	if (r_s->num_deltas2 > 0) {
2405	r_s->hdr_deltas = (SAM_DELTA_HDR *)	2405	r_s->hdr_deltas = (SAM_DELTA_HDR *)
2406	talloc(ps->mem_ctx, r_s->num_deltas2 *	2406	talloc_array(ps->mem_ctx, r_s->num_deltas2,
2407	sizeof(SAM_DELTA_HDR));	2407	sizeof(SAM_DELTA_HDR));
2408		2408
2409	if (r_s->hdr_deltas == NULL) {	2409	if (r_s->hdr_deltas == NULL) {
Lines 2424-2430 Link Here
2424		2424
2425	if (r_s->num_deltas2 > 0) {	2425	if (r_s->num_deltas2 > 0) {
2426	r_s->deltas = (SAM_DELTA_CTR *)	2426	r_s->deltas = (SAM_DELTA_CTR *)
2427	talloc(ps->mem_ctx, r_s->num_deltas2 *	2427	talloc_array(ps->mem_ctx, r_s->num_deltas2,
2428	sizeof(SAM_DELTA_CTR));	2428	sizeof(SAM_DELTA_CTR));
2429		2429
2430	if (r_s->deltas == NULL) {	2430	if (r_s->deltas == NULL) {
Lines 2539-2545 Link Here
2539	{	2539	{
2540	if (r_s->num_deltas > 0) {	2540	if (r_s->num_deltas > 0) {
2541	r_s->hdr_deltas = (SAM_DELTA_HDR *)	2541	r_s->hdr_deltas = (SAM_DELTA_HDR *)
2542	talloc(ps->mem_ctx, r_s->num_deltas *	2542	talloc_array(ps->mem_ctx, r_s->num_deltas,
2543	sizeof(SAM_DELTA_HDR));	2543	sizeof(SAM_DELTA_HDR));
2544	if (r_s->hdr_deltas == NULL) {	2544	if (r_s->hdr_deltas == NULL) {
2545	DEBUG(0, ("error tallocating memory "	2545	DEBUG(0, ("error tallocating memory "
Lines 2557-2563 Link Here
2557		2557
2558	if (r_s->num_deltas > 0) {	2558	if (r_s->num_deltas > 0) {
2559	r_s->deltas = (SAM_DELTA_CTR *)	2559	r_s->deltas = (SAM_DELTA_CTR *)
2560	talloc(ps->mem_ctx, r_s->num_deltas *	2560	talloc_array(ps->mem_ctx, r_s->num_deltas,
2561	sizeof(SAM_DELTA_CTR));	2561	sizeof(SAM_DELTA_CTR));
2562		2562
2563	if (r_s->deltas == NULL) {	2563	if (r_s->deltas == NULL) {

Lines 1451-1461 Link Here

(-)samba-2.2.8a.orig/source/rpc_parse/parse_samr.c (-15 / +15 lines)
1451	if (num_entries==0)	1451	if (num_entries==0)
1452	return NT_STATUS_OK;	1452	return NT_STATUS_OK;
1453		1453
1454	sam->sam=(SAM_ENTRY1 )talloc(ctx, num_entriessizeof(SAM_ENTRY1));	1454	sam->sam=(SAM_ENTRY1 *)talloc_array(ctx, num_entries, sizeof(SAM_ENTRY1));
1455	if (!sam->sam)	1455	if (!sam->sam)
1456	return NT_STATUS_NO_MEMORY;	1456	return NT_STATUS_NO_MEMORY;
1457		1457
1458	sam->str=(SAM_STR1 )talloc(ctx, num_entriessizeof(SAM_STR1));	1458	sam->str=(SAM_STR1 *)talloc_array(ctx, num_entries, sizeof(SAM_STR1));
1459	if (!sam->str)	1459	if (!sam->str)
1460	return NT_STATUS_NO_MEMORY;	1460	return NT_STATUS_NO_MEMORY;
1461		1461
Lines 1554-1563 Link Here
1554	if (num_entries==0)	1554	if (num_entries==0)
1555	return NT_STATUS_OK;	1555	return NT_STATUS_OK;
1556		1556
1557	if (!(sam->sam=(SAM_ENTRY2 )talloc(ctx, num_entriessizeof(SAM_ENTRY2))))	1557	if (!(sam->sam=(SAM_ENTRY2 *)talloc_array(ctx, num_entries, sizeof(SAM_ENTRY2))))
1558	return NT_STATUS_NO_MEMORY;	1558	return NT_STATUS_NO_MEMORY;
1559		1559
1560	if (!(sam->str=(SAM_STR2 )talloc(ctx, num_entriessizeof(SAM_STR2))))	1560	if (!(sam->str=(SAM_STR2 *)talloc_array(ctx, num_entries, sizeof(SAM_STR2))))
1561	return NT_STATUS_NO_MEMORY;	1561	return NT_STATUS_NO_MEMORY;
1562		1562
1563	ZERO_STRUCTP(sam->sam);	1563	ZERO_STRUCTP(sam->sam);
Lines 1652-1661 Link Here
1652	if (num_entries==0)	1652	if (num_entries==0)
1653	return NT_STATUS_OK;	1653	return NT_STATUS_OK;
1654		1654
1655	if (!(sam->sam=(SAM_ENTRY3 )talloc(ctx, num_entriessizeof(SAM_ENTRY3))))	1655	if (!(sam->sam=(SAM_ENTRY3 *)talloc_array(ctx, num_entries, sizeof(SAM_ENTRY3))))
1656	return NT_STATUS_NO_MEMORY;	1656	return NT_STATUS_NO_MEMORY;
1657		1657
1658	if (!(sam->str=(SAM_STR3 )talloc(ctx, num_entriessizeof(SAM_STR3))))	1658	if (!(sam->str=(SAM_STR3 *)talloc_array(ctx, num_entries, sizeof(SAM_STR3))))
1659	return NT_STATUS_NO_MEMORY;	1659	return NT_STATUS_NO_MEMORY;
1660		1660
1661	ZERO_STRUCTP(sam->sam);	1661	ZERO_STRUCTP(sam->sam);
Lines 1747-1756 Link Here
1747	if (num_entries==0)	1747	if (num_entries==0)
1748	return NT_STATUS_OK;	1748	return NT_STATUS_OK;
1749		1749
1750	if (!(sam->sam=(SAM_ENTRY4 )talloc(ctx, num_entriessizeof(SAM_ENTRY4))))	1750	if (!(sam->sam=(SAM_ENTRY4 *)talloc_array(ctx, num_entries, sizeof(SAM_ENTRY4))))
1751	return NT_STATUS_NO_MEMORY;	1751	return NT_STATUS_NO_MEMORY;
1752		1752
1753	if (!(sam->str=(SAM_STR4 )talloc(ctx, num_entriessizeof(SAM_STR4))))	1753	if (!(sam->str=(SAM_STR4 *)talloc_array(ctx, num_entries, sizeof(SAM_STR4))))
1754	return NT_STATUS_NO_MEMORY;	1754	return NT_STATUS_NO_MEMORY;
1755		1755
1756	ZERO_STRUCTP(sam->sam);	1756	ZERO_STRUCTP(sam->sam);
Lines 1838-1847 Link Here
1838	if (num_entries==0)	1838	if (num_entries==0)
1839	return NT_STATUS_OK;	1839	return NT_STATUS_OK;
1840		1840
1841	if (!(sam->sam=(SAM_ENTRY5 )talloc(ctx, num_entriessizeof(SAM_ENTRY5))))	1841	if (!(sam->sam=(SAM_ENTRY5 *)talloc_array(ctx, num_entries, sizeof(SAM_ENTRY5))))
1842	return NT_STATUS_NO_MEMORY;	1842	return NT_STATUS_NO_MEMORY;
1843		1843
1844	if (!(sam->str=(SAM_STR5 )talloc(ctx, num_entriessizeof(SAM_STR5))))	1844	if (!(sam->str=(SAM_STR5 *)talloc_array(ctx, num_entries, sizeof(SAM_STR5))))
1845	return NT_STATUS_NO_MEMORY;	1845	return NT_STATUS_NO_MEMORY;
1846		1846
1847	ZERO_STRUCTP(sam->sam);	1847	ZERO_STRUCTP(sam->sam);
Lines 3918-3924 Link Here
3918	q_u->flags = flags;	3918	q_u->flags = flags;
3919	q_u->ptr = 0;	3919	q_u->ptr = 0;
3920	q_u->num_rids2 = num_rids;	3920	q_u->num_rids2 = num_rids;
3921	q_u->rid = (uint32 )talloc_zero(ctx, num_rids sizeof(q_u->rid[0]));	3921	q_u->rid = (uint32 *)talloc_zero_array(ctx, num_rids, sizeof(q_u->rid[0]));
3922	if (q_u->rid == NULL) {	3922	if (q_u->rid == NULL) {
3923	q_u->num_rids1 = 0;	3923	q_u->num_rids1 = 0;
3924	q_u->num_rids2 = 0;	3924	q_u->num_rids2 = 0;
Lines 4550-4559 Link Here
4550	q_u->ptr = 0;	4550	q_u->ptr = 0;
4551	q_u->num_names2 = num_names;	4551	q_u->num_names2 = num_names;
4552		4552
4553	if (!(q_u->hdr_name = (UNIHDR )talloc_zero(ctx, num_names sizeof(UNIHDR))))	4553	if (!(q_u->hdr_name = (UNIHDR *)talloc_zero_array(ctx, num_names, sizeof(UNIHDR))))
4554	return NT_STATUS_NO_MEMORY;	4554	return NT_STATUS_NO_MEMORY;
4555		4555
4556	if (!(q_u->uni_name = (UNISTR2 )talloc_zero(ctx, num_names sizeof(UNISTR2))))	4556	if (!(q_u->uni_name = (UNISTR2 *)talloc_zero_array(ctx, num_names, sizeof(UNISTR2))))
4557	return NT_STATUS_NO_MEMORY;	4557	return NT_STATUS_NO_MEMORY;
4558		4558
4559	for (i = 0; i < num_names; i++) {	4559	for (i = 0; i < num_names; i++) {
Lines 4642-4650 Link Here
4642	r_u->ptr_rids = 1;	4642	r_u->ptr_rids = 1;
4643	r_u->num_rids2 = num_rids;	4643	r_u->num_rids2 = num_rids;
4644		4644
4645	if (!(r_u->rids = (uint32 )talloc_zero(ctx, sizeof(uint32)num_rids)))	4645	if (!(r_u->rids = (uint32 *)talloc_zero_array(ctx, sizeof(uint32), num_rids)))
4646	return NT_STATUS_NO_MEMORY;	4646	return NT_STATUS_NO_MEMORY;
4647	if (!(r_u->types = (uint32 )talloc_zero(ctx, sizeof(uint32)num_rids)))	4647	if (!(r_u->types = (uint32 *)talloc_zero_array(ctx, sizeof(uint32), num_rids)))
4648	return NT_STATUS_NO_MEMORY;	4648	return NT_STATUS_NO_MEMORY;
4649		4649
4650	if (!r_u->rids \|\| !r_u->types)	4650	if (!r_u->rids \|\| !r_u->types)

Lines 218-230 Link Here

(-)samba-2.2.8a.orig/source/rpc_server/srv_lsa_nt.c (-4 / +4 lines)
218	/* Allocate memory for list of names */	218	/* Allocate memory for list of names */
219		219
220	if (num_entries > 0) {	220	if (num_entries > 0) {
221	if (!(trn->name = (LSA_TRANS_NAME )talloc(ctx, sizeof(LSA_TRANS_NAME)	221	if (!(trn->name = (LSA_TRANS_NAME *)talloc_array(ctx, sizeof(LSA_TRANS_NAME),
222	num_entries))) {	222	num_entries))) {
223	DEBUG(0, ("init_lsa_trans_names(): out of memory\n"));	223	DEBUG(0, ("init_lsa_trans_names(): out of memory\n"));
224	return;	224	return;
225	}	225	}
226		226
227	if (!(trn->uni_name = (UNISTR2 )talloc(ctx, sizeof(UNISTR2)	227	if (!(trn->uni_name = (UNISTR2 *)talloc_array(ctx, sizeof(UNISTR2),
228	num_entries))) {	228	num_entries))) {
229	DEBUG(0, ("init_lsa_trans_names(): out of memory\n"));	229	DEBUG(0, ("init_lsa_trans_names(): out of memory\n"));
230	return;	230	return;
Lines 385-391 Link Here
385	info->id2.auditing_enabled = 1;	385	info->id2.auditing_enabled = 1;
386	info->id2.count1 = 7;	386	info->id2.count1 = 7;
387	info->id2.count2 = 7;	387	info->id2.count2 = 7;
388	if ((info->id2.auditsettings = (uint32 )talloc(p->mem_ctx,7sizeof(uint32))) == NULL)	388	if ((info->id2.auditsettings = (uint32 *)talloc_array(p->mem_ctx, 7, sizeof(uint32))) == NULL)
389	return NT_STATUS_NO_MEMORY;	389	return NT_STATUS_NO_MEMORY;
390	for (i = 0; i < 7; i++)	390	for (i = 0; i < 7; i++)
391	info->id2.auditsettings[i] = 3;	391	info->id2.auditsettings[i] = 3;
Lines 566-572 Link Here
566	if (enum_context >= PRIV_ALL_INDEX)	566	if (enum_context >= PRIV_ALL_INDEX)
567	return NT_STATUS_UNABLE_TO_FREE_VM;	567	return NT_STATUS_UNABLE_TO_FREE_VM;
568		568
569	entries = (LSA_PRIV_ENTRY )talloc_zero(p->mem_ctx, sizeof(LSA_PRIV_ENTRY) (PRIV_ALL_INDEX-enum_context));	569	entries = (LSA_PRIV_ENTRY *)talloc_zero_array(p->mem_ctx, sizeof(LSA_PRIV_ENTRY), (PRIV_ALL_INDEX-enum_context));
570	if (entries==NULL)	570	if (entries==NULL)
571	return NT_STATUS_NO_MEMORY;	571	return NT_STATUS_NO_MEMORY;
572		572

Lines 175-182 Link Here

(-)samba-2.2.8a.orig/source/rpc_server/srv_samr_nt.c (-19 / +19 lines)
175	if (info->disp_info.num_user_account % MAX_SAM_ENTRIES == 0) {	175	if (info->disp_info.num_user_account % MAX_SAM_ENTRIES == 0) {
176		176
177	DEBUG(10,("load_sampwd_entries: allocating more memory\n"));	177	DEBUG(10,("load_sampwd_entries: allocating more memory\n"));
178	pwd_array=(DISP_USER_INFO *)Realloc(info->disp_info.disp_user_info,	178	pwd_array=(DISP_USER_INFO *)realloc_array(info->disp_info.disp_user_info,
179	(info->disp_info.num_user_account+MAX_SAM_ENTRIES)*sizeof(DISP_USER_INFO));	179	(info->disp_info.num_user_account+MAX_SAM_ENTRIES), sizeof(DISP_USER_INFO));
180		180
181	if (pwd_array==NULL)	181	if (pwd_array==NULL)
182	return NT_STATUS_NO_MEMORY;	182	return NT_STATUS_NO_MEMORY;
Lines 214-220 Link Here
214	static BOOL group_map_init;	214	static BOOL group_map_init;
215	extern DOM_SID global_sam_sid;	215	extern DOM_SID global_sam_sid;
216		216
217	ret_map = (GROUP_MAP )malloc(sizeof(GROUP_MAP)*2);	217	ret_map = (GROUP_MAP )malloc_array(sizeof(GROUP_MAP), 2);
218	if (!ret_map)	218	if (!ret_map)
219	return 2;	219	return 2;
220		220
Lines 268-274 Link Here
268		268
269	info->disp_info.num_group_account=group_entries;	269	info->disp_info.num_group_account=group_entries;
270		270
271	grp_array=(DISP_GROUP_INFO )malloc(info->disp_info.num_group_accountsizeof(DISP_GROUP_INFO));	271	grp_array=(DISP_GROUP_INFO *)malloc_array(info->disp_info.num_group_account, sizeof(DISP_GROUP_INFO));
272		272
273	if (group_entries!=0 && grp_array==NULL) {	273	if (group_entries!=0 && grp_array==NULL) {
274	return NT_STATUS_NO_MEMORY;	274	return NT_STATUS_NO_MEMORY;
Lines 557-565 Link Here
557	if (num_sam_entries == 0)	557	if (num_sam_entries == 0)
558	return;	558	return;
559		559
560	sam = (SAM_ENTRY )talloc_zero(ctx, sizeof(SAM_ENTRY)num_sam_entries);	560	sam = (SAM_ENTRY *)talloc_zero_array(ctx, sizeof(SAM_ENTRY), num_sam_entries);
561		561
562	uni_name = (UNISTR2 )talloc_zero(ctx, sizeof(UNISTR2)num_sam_entries);	562	uni_name = (UNISTR2 *)talloc_zero_array(ctx, sizeof(UNISTR2), num_sam_entries);
563		563
564	if (sam == NULL \|\| uni_name == NULL) {	564	if (sam == NULL \|\| uni_name == NULL) {
565	DEBUG(0, ("NULL pointers in SAMR_R_QUERY_DISPINFO\n"));	565	DEBUG(0, ("NULL pointers in SAMR_R_QUERY_DISPINFO\n"));
Lines 644-652 Link Here
644	if (num_sam_entries == 0)	644	if (num_sam_entries == 0)
645	return;	645	return;
646		646
647	sam = (SAM_ENTRY )talloc_zero(ctx, sizeof(SAM_ENTRY)num_sam_entries);	647	sam = (SAM_ENTRY *)talloc_zero_array(ctx, sizeof(SAM_ENTRY), num_sam_entries);
648		648
649	uni_name = (UNISTR2 )talloc_zero(ctx, sizeof(UNISTR2)num_sam_entries);	649	uni_name = (UNISTR2 *)talloc_zero_array(ctx, sizeof(UNISTR2), num_sam_entries);
650		650
651	if (sam == NULL \|\| uni_name == NULL) {	651	if (sam == NULL \|\| uni_name == NULL) {
652	DEBUG(0, ("NULL pointers in SAMR_R_QUERY_DISPINFO\n"));	652	DEBUG(0, ("NULL pointers in SAMR_R_QUERY_DISPINFO\n"));
Lines 996-1002 Link Here
996	switch (q_u->switch_level) {	996	switch (q_u->switch_level) {
997	case 0x1:	997	case 0x1:
998	if (max_entries) {	998	if (max_entries) {
999	if (!(ctr->sam.info1 = (SAM_DISPINFO_1 )talloc_zero(p->mem_ctx,max_entriessizeof(SAM_DISPINFO_1))))	999	if (!(ctr->sam.info1 = (SAM_DISPINFO_1 *)talloc_zero_array(p->mem_ctx,max_entries, sizeof(SAM_DISPINFO_1))))
1000	return NT_STATUS_NO_MEMORY;	1000	return NT_STATUS_NO_MEMORY;
1001	}	1001	}
1002	disp_ret = init_sam_dispinfo_1(p->mem_ctx, ctr->sam.info1, max_entries, enum_context, info->disp_info.disp_user_info);	1002	disp_ret = init_sam_dispinfo_1(p->mem_ctx, ctr->sam.info1, max_entries, enum_context, info->disp_info.disp_user_info);
Lines 1005-1011 Link Here
1005	break;	1005	break;
1006	case 0x2:	1006	case 0x2:
1007	if (max_entries) {	1007	if (max_entries) {
1008	if (!(ctr->sam.info2 = (SAM_DISPINFO_2 )talloc_zero(p->mem_ctx,max_entriessizeof(SAM_DISPINFO_2))))	1008	if (!(ctr->sam.info2 = (SAM_DISPINFO_2 *)talloc_zero_array(p->mem_ctx,max_entries, sizeof(SAM_DISPINFO_2))))
1009	return NT_STATUS_NO_MEMORY;	1009	return NT_STATUS_NO_MEMORY;
1010	}	1010	}
1011	disp_ret = init_sam_dispinfo_2(p->mem_ctx, ctr->sam.info2, max_entries, enum_context, info->disp_info.disp_user_info);	1011	disp_ret = init_sam_dispinfo_2(p->mem_ctx, ctr->sam.info2, max_entries, enum_context, info->disp_info.disp_user_info);
Lines 1014-1020 Link Here
1014	break;	1014	break;
1015	case 0x3:	1015	case 0x3:
1016	if (max_entries) {	1016	if (max_entries) {
1017	if (!(ctr->sam.info3 = (SAM_DISPINFO_3 )talloc_zero(p->mem_ctx,max_entriessizeof(SAM_DISPINFO_3))))	1017	if (!(ctr->sam.info3 = (SAM_DISPINFO_3 *)talloc_zero_array(p->mem_ctx,max_entries, sizeof(SAM_DISPINFO_3))))
1018	return NT_STATUS_NO_MEMORY;	1018	return NT_STATUS_NO_MEMORY;
1019	}	1019	}
1020	disp_ret = init_sam_dispinfo_3(p->mem_ctx, ctr->sam.info3, max_entries, enum_context, info->disp_info.disp_group_info);	1020	disp_ret = init_sam_dispinfo_3(p->mem_ctx, ctr->sam.info3, max_entries, enum_context, info->disp_info.disp_group_info);
Lines 1023-1029 Link Here
1023	break;	1023	break;
1024	case 0x4:	1024	case 0x4:
1025	if (max_entries) {	1025	if (max_entries) {
1026	if (!(ctr->sam.info4 = (SAM_DISPINFO_4 )talloc_zero(p->mem_ctx,max_entriessizeof(SAM_DISPINFO_4))))	1026	if (!(ctr->sam.info4 = (SAM_DISPINFO_4 *)talloc_zero_array(p->mem_ctx,max_entries, sizeof(SAM_DISPINFO_4))))
1027	return NT_STATUS_NO_MEMORY;	1027	return NT_STATUS_NO_MEMORY;
1028	}	1028	}
1029	disp_ret = init_sam_dispinfo_4(p->mem_ctx, ctr->sam.info4, max_entries, enum_context, info->disp_info.disp_user_info);	1029	disp_ret = init_sam_dispinfo_4(p->mem_ctx, ctr->sam.info4, max_entries, enum_context, info->disp_info.disp_user_info);
Lines 1032-1038 Link Here
1032	break;	1032	break;
1033	case 0x5:	1033	case 0x5:
1034	if (max_entries) {	1034	if (max_entries) {
1035	if (!(ctr->sam.info5 = (SAM_DISPINFO_5 )talloc_zero(p->mem_ctx,max_entriessizeof(SAM_DISPINFO_5))))	1035	if (!(ctr->sam.info5 = (SAM_DISPINFO_5 *)talloc_zero_array(p->mem_ctx,max_entries, sizeof(SAM_DISPINFO_5))))
1036	return NT_STATUS_NO_MEMORY;	1036	return NT_STATUS_NO_MEMORY;
1037	}	1037	}
1038	disp_ret = init_sam_dispinfo_5(p->mem_ctx, ctr->sam.info5, max_entries, enum_context, info->disp_info.disp_group_info);	1038	disp_ret = init_sam_dispinfo_5(p->mem_ctx, ctr->sam.info5, max_entries, enum_context, info->disp_info.disp_group_info);
Lines 1292-1302 Link Here
1292	*pp_hdr_name = NULL;	1292	*pp_hdr_name = NULL;
1293		1293
1294	if (num_names != 0) {	1294	if (num_names != 0) {
1295	hdr_name = (UNIHDR )talloc_zero(ctx, sizeof(UNIHDR)num_names);	1295	hdr_name = (UNIHDR *)talloc_zero_array(ctx, sizeof(UNIHDR), num_names);
1296	if (hdr_name == NULL)	1296	if (hdr_name == NULL)
1297	return False;	1297	return False;
1298		1298
1299	uni_name = (UNISTR2 )talloc_zero(ctx,sizeof(UNISTR2)num_names);	1299	uni_name = (UNISTR2 *)talloc_zero_array(ctx,sizeof(UNISTR2), num_names);
1300	if (uni_name == NULL)	1300	if (uni_name == NULL)
1301	return False;	1301	return False;
1302	}	1302	}
Lines 1342-1348 Link Here
1342	}	1342	}
1343		1343
1344	if (num_rids) {	1344	if (num_rids) {
1345	if ((group_attrs = (uint32 )talloc_zero(p->mem_ctx, num_rids sizeof(uint32))) == NULL)	1345	if ((group_attrs = (uint32 *)talloc_zero_array(p->mem_ctx, num_rids, sizeof(uint32))) == NULL)
1346	return NT_STATUS_NO_MEMORY;	1346	return NT_STATUS_NO_MEMORY;
1347	}	1347	}
1348		1348
Lines 2078-2085 Link Here
2078	if (num_sam_entries == 0)	2078	if (num_sam_entries == 0)
2079	return True;	2079	return True;
2080		2080
2081	sam = (SAM_ENTRY )talloc_zero(ctx, sizeof(SAM_ENTRY)num_sam_entries);	2081	sam = (SAM_ENTRY *)talloc_zero_array(ctx, sizeof(SAM_ENTRY), num_sam_entries);
2082	uni_name = (UNISTR2 )talloc_zero(ctx, sizeof(UNISTR2)num_sam_entries);	2082	uni_name = (UNISTR2 *)talloc_zero_array(ctx, sizeof(UNISTR2), num_sam_entries);
2083		2083
2084	if (sam == NULL \|\| uni_name == NULL)	2084	if (sam == NULL \|\| uni_name == NULL)
2085	return False;	2085	return False;
Lines 2608-2614 Link Here
2608	int num_rids;	2608	int num_rids;
2609		2609
2610	num_rids = 1;	2610	num_rids = 1;
2611	rid=(uint32 )talloc_zero(p->mem_ctx, num_ridssizeof(uint32));	2611	rid=(uint32 *)talloc_zero_array(p->mem_ctx, num_rids, sizeof(uint32));
2612	if (rid == NULL)	2612	if (rid == NULL)
2613	return NT_STATUS_NO_MEMORY;	2613	return NT_STATUS_NO_MEMORY;
2614		2614

Lines 880-886 Link Here

(-)samba-2.2.8a.orig/source/rpc_server/srv_spoolss_nt.c (-27 / +31 lines)
880		880
881	len = unistrlen(devmode->devicename.buffer);	881	len = unistrlen(devmode->devicename.buffer);
882	if (len != -1) {	882	if (len != -1) {
883	d->devicename.buffer = talloc(ctx, len*2);	883	d->devicename.buffer = talloc_array(ctx, len, 2);
884	if (unistrcpy(d->devicename.buffer, devmode->devicename.buffer) != len)	884	if (unistrcpy(d->devicename.buffer, devmode->devicename.buffer) != len)
885	return NULL;	885	return NULL;
886	}	886	}
Lines 888-894 Link Here
888		888
889	len = unistrlen(devmode->formname.buffer);	889	len = unistrlen(devmode->formname.buffer);
890	if (len != -1) {	890	if (len != -1) {
891	d->devicename.buffer = talloc(ctx, len*2);	891	d->devicename.buffer = talloc_array(ctx, len, 2);
892	if (unistrcpy(d->formname.buffer, devmode->formname.buffer) != len)	892	if (unistrcpy(d->formname.buffer, devmode->formname.buffer) != len)
893	return NULL;	893	return NULL;
894	}	894	}
Lines 1305-1311 Link Here
1305	if ((devmode->driverextra != 0) && (devmode->private != NULL)) {	1305	if ((devmode->driverextra != 0) && (devmode->private != NULL)) {
1306	SAFE_FREE(nt_devmode->private);	1306	SAFE_FREE(nt_devmode->private);
1307	nt_devmode->driverextra=devmode->driverextra;	1307	nt_devmode->driverextra=devmode->driverextra;
1308	if((nt_devmode->private=(uint8 )malloc(nt_devmode->driverextra sizeof(uint8))) == NULL)	1308	if((nt_devmode->private=(uint8 *)malloc_array(nt_devmode->driverextra, sizeof(uint8))) == NULL)
1309	return False;	1309	return False;
1310	memcpy(nt_devmode->private, devmode->private, nt_devmode->driverextra);	1310	memcpy(nt_devmode->private, devmode->private, nt_devmode->driverextra);
1311	}	1311	}
Lines 1521-1527 Link Here
1521		1521
1522	if (!strcmp(value, "W3SvcInstalled")) {	1522	if (!strcmp(value, "W3SvcInstalled")) {
1523	*type = 0x4;	1523	*type = 0x4;
1524	if((data = (uint8 )talloc_zero(ctx, 4*sizeof(uint8) )) == NULL)	1524	if((data = (uint8 )talloc_zero_array(ctx, 4, sizeof(uint8) )) == NULL)
1525	return False;	1525	return False;
1526	*needed = 0x4;	1526	*needed = 0x4;
1527	return True;	1527	return True;
Lines 1574-1580 Link Here
1574	fstrcpy(string, string_truncate(lp_serverstring(), MAX_SERVER_STRING_LENGTH));	1574	fstrcpy(string, string_truncate(lp_serverstring(), MAX_SERVER_STRING_LENGTH));
1575	*type = 0x1;	1575	*type = 0x1;
1576	needed = 2(strlen(string)+1);	1576	needed = 2(strlen(string)+1);
1577	if((data = (uint8 )talloc(ctx, ((needed > in_size) ? needed:in_size) *sizeof(uint8))) == NULL)	1577	if((data = (uint8 )talloc_array(ctx, ((needed > in_size) ? needed:in_size), sizeof(uint8))) == NULL)
1578	return False;	1578	return False;
1579	memset(data, 0, (needed > in_size) ? *needed:in_size);	1579	memset(data, 0, (needed > in_size) ? *needed:in_size);
1580		1580
Lines 1590-1596 Link Here
1590	pstring string="Windows NT x86";	1590	pstring string="Windows NT x86";
1591	*type = 0x1;	1591	*type = 0x1;
1592	needed = 2(strlen(string)+1);	1592	needed = 2(strlen(string)+1);
1593	if((data = (uint8 )talloc(ctx, ((needed > in_size) ? needed:in_size) *sizeof(uint8))) == NULL)	1593	if((data = (uint8 )talloc_array(ctx, ((needed > in_size) ? needed:in_size), sizeof(uint8))) == NULL)
1594	return False;	1594	return False;
1595	memset(data, 0, (needed > in_size) ? *needed:in_size);	1595	memset(data, 0, (needed > in_size) ? *needed:in_size);
1596	for (i=0; i<strlen(string); i++) {	1596	for (i=0; i<strlen(string); i++) {
Lines 1640-1646 Link Here
1640	DEBUG(5,("getprinterdata_printer:allocating %d\n", in_size));	1640	DEBUG(5,("getprinterdata_printer:allocating %d\n", in_size));
1641		1641
1642	if (in_size) {	1642	if (in_size) {
1643	if((data = (uint8 )talloc(ctx, in_size *sizeof(uint8) )) == NULL) {	1643	if((data = (uint8 )talloc_array(ctx, in_size, sizeof(uint8) )) == NULL) {
1644	return False;	1644	return False;
1645	}	1645	}
1646		1646
Lines 1711-1717 Link Here
1711	DEBUG(5, ("value not found, allocating %d\n", *out_size));	1711	DEBUG(5, ("value not found, allocating %d\n", *out_size));
1712	/* reply this param doesn't exist */	1712	/* reply this param doesn't exist */
1713	if (*out_size) {	1713	if (*out_size) {
1714	if((data=(uint8 )talloc_zero(p->mem_ctx, out_sizesizeof(uint8))) == NULL)	1714	if((data=(uint8 )talloc_zero_array(p->mem_ctx, *out_size, sizeof(uint8))) == NULL)
1715	return WERR_NOMEM;	1715	return WERR_NOMEM;
1716	} else {	1716	} else {
1717	*data = NULL;	1717	*data = NULL;
Lines 2704-2710 Link Here
2704	if (!search_notify(type, field, &j) )	2704	if (!search_notify(type, field, &j) )
2705	continue;	2705	continue;
2706		2706
2707	if((tid=(SPOOL_NOTIFY_INFO_DATA )Realloc(info->data, (info->count+1)sizeof(SPOOL_NOTIFY_INFO_DATA))) == NULL) {	2707	if((tid=(SPOOL_NOTIFY_INFO_DATA *)realloc_array(info->data, (info->count+1), sizeof(SPOOL_NOTIFY_INFO_DATA))) == NULL) {
2708	DEBUG(2,("construct_notify_printer_info: failed to enlarge buffer info->data!\n"));	2708	DEBUG(2,("construct_notify_printer_info: failed to enlarge buffer info->data!\n"));
2709	return False;	2709	return False;
2710	}	2710	}
Lines 2760-2766 Link Here
2760	if (!search_notify(type, field, &j) )	2760	if (!search_notify(type, field, &j) )
2761	continue;	2761	continue;
2762		2762
2763	if((tid=Realloc(info->data, (info->count+1)*sizeof(SPOOL_NOTIFY_INFO_DATA))) == NULL) {	2763	if((tid=realloc_array(info->data, (info->count+1), sizeof(SPOOL_NOTIFY_INFO_DATA))) == NULL) {
2764	DEBUG(2,("construct_notify_jobs_info: failed to enlarg buffer info->data!\n"));	2764	DEBUG(2,("construct_notify_jobs_info: failed to enlarg buffer info->data!\n"));
2765	return False;	2765	return False;
2766	}	2766	}
Lines 3420-3426 Link Here
3420	DEBUG(4,("Found a printer in smb.conf: %s[%x]\n", lp_servicename(snum), snum));	3420	DEBUG(4,("Found a printer in smb.conf: %s[%x]\n", lp_servicename(snum), snum));
3421		3421
3422	if (construct_printer_info_1(flags, &current_prt, snum)) {	3422	if (construct_printer_info_1(flags, &current_prt, snum)) {
3423	if((tp=Realloc(printers, (returned +1)sizeof(PRINTER_INFO_1))) == NULL) {	3423	if((tp=realloc_array(printers, (*returned +1), sizeof(PRINTER_INFO_1))) == NULL) {
3424	DEBUG(2,("enum_all_printers_info_1: failed to enlarge printers buffer!\n"));	3424	DEBUG(2,("enum_all_printers_info_1: failed to enlarge printers buffer!\n"));
3425	SAFE_FREE(printers);	3425	SAFE_FREE(printers);
3426	*returned=0;	3426	*returned=0;
Lines 3589-3595 Link Here
3589	DEBUG(4,("Found a printer in smb.conf: %s[%x]\n", lp_servicename(snum), snum));	3589	DEBUG(4,("Found a printer in smb.conf: %s[%x]\n", lp_servicename(snum), snum));
3590		3590
3591	if (construct_printer_info_2(&current_prt, snum)) {	3591	if (construct_printer_info_2(&current_prt, snum)) {
3592	if((tp=Realloc(printers, (returned +1)sizeof(PRINTER_INFO_2))) == NULL) {	3592	if((tp=realloc_array(printers, (*returned +1), sizeof(PRINTER_INFO_2))) == NULL) {
3593	DEBUG(2,("enum_all_printers_info_2: failed to enlarge printers buffer!\n"));	3593	DEBUG(2,("enum_all_printers_info_2: failed to enlarge printers buffer!\n"));
3594	SAFE_FREE(printers);	3594	SAFE_FREE(printers);
3595	*returned = 0;	3595	*returned = 0;
Lines 4116-4122 Link Here
4116	if (strlen(v) == 0) break;	4116	if (strlen(v) == 0) break;
4117	slprintf(line, sizeof(line)-1, "\\\\%s%s", servername, v);	4117	slprintf(line, sizeof(line)-1, "\\\\%s%s", servername, v);
4118	DEBUGADD(6,("%d:%s:%d\n", i, line, strlen(line)));	4118	DEBUGADD(6,("%d:%s:%d\n", i, line, strlen(line)));
4119	if((tuary=Realloc(uni_array, (j+strlen(line)+2)sizeof(uint16))) == NULL) {	4119	if((tuary=realloc_array(*uni_array, (j+strlen(line)+2), sizeof(uint16))) == NULL) {
4120	DEBUG(2,("init_unistr_array: Realloc error\n" ));	4120	DEBUG(2,("init_unistr_array: Realloc error\n" ));
4121	return;	4121	return;
4122	} else	4122	} else
Lines 5529-5535 Link Here
5529	JOB_INFO_1 *info;	5529	JOB_INFO_1 *info;
5530	int i;	5530	int i;
5531		5531
5532	info=(JOB_INFO_1 )malloc(returned*sizeof(JOB_INFO_1));	5532	info=(JOB_INFO_1 )malloc_array(returned, sizeof(JOB_INFO_1));
5533	if (info==NULL) {	5533	if (info==NULL) {
5534	SAFE_FREE(queue);	5534	SAFE_FREE(queue);
5535	*returned=0;	5535	*returned=0;
Lines 5579-5585 Link Here
5579	WERROR result;	5579	WERROR result;
5580	DEVICEMODE *devmode = NULL;	5580	DEVICEMODE *devmode = NULL;
5581		5581
5582	info=(JOB_INFO_2 )malloc(returned*sizeof(JOB_INFO_2));	5582	info=(JOB_INFO_2 )malloc_array(returned, sizeof(JOB_INFO_2));
5583	if (info==NULL) {	5583	if (info==NULL) {
5584	*returned=0;	5584	*returned=0;
5585	result = WERR_NOMEM;	5585	result = WERR_NOMEM;
Lines 5771-5777 Link Here
5771	return WERR_NOMEM;	5771	return WERR_NOMEM;
5772		5772
5773	if(ndrivers != 0) {	5773	if(ndrivers != 0) {
5774	if((tdi1=(DRIVER_INFO_1 )Realloc(driver_info_1, (returned+ndrivers) * sizeof(DRIVER_INFO_1))) == NULL) {	5774	if((tdi1=(DRIVER_INFO_1 )realloc_array(driver_info_1, (returned+ndrivers), sizeof(DRIVER_INFO_1))) == NULL) {
5775	DEBUG(0,("enumprinterdrivers_level1: failed to enlarge driver info buffer!\n"));	5775	DEBUG(0,("enumprinterdrivers_level1: failed to enlarge driver info buffer!\n"));
5776	SAFE_FREE(driver_info_1);	5776	SAFE_FREE(driver_info_1);
5777	SAFE_FREE(list);	5777	SAFE_FREE(list);
Lines 5852-5858 Link Here
5852	return WERR_NOMEM;	5852	return WERR_NOMEM;
5853		5853
5854	if(ndrivers != 0) {	5854	if(ndrivers != 0) {
5855	if((tdi2=(DRIVER_INFO_2 )Realloc(driver_info_2, (returned+ndrivers) * sizeof(DRIVER_INFO_2))) == NULL) {	5855	if((tdi2=(DRIVER_INFO_2 )realloc_array(driver_info_2, (returned+ndrivers), sizeof(DRIVER_INFO_2))) == NULL) {
5856	DEBUG(0,("enumprinterdrivers_level2: failed to enlarge driver info buffer!\n"));	5856	DEBUG(0,("enumprinterdrivers_level2: failed to enlarge driver info buffer!\n"));
5857	SAFE_FREE(driver_info_2);	5857	SAFE_FREE(driver_info_2);
5858	SAFE_FREE(list);	5858	SAFE_FREE(list);
Lines 5934-5940 Link Here
5934	return WERR_NOMEM;	5934	return WERR_NOMEM;
5935		5935
5936	if(ndrivers != 0) {	5936	if(ndrivers != 0) {
5937	if((tdi3=(DRIVER_INFO_3 )Realloc(driver_info_3, (returned+ndrivers) * sizeof(DRIVER_INFO_3))) == NULL) {	5937	if((tdi3=(DRIVER_INFO_3 )realloc_array(driver_info_3, (returned+ndrivers), sizeof(DRIVER_INFO_3))) == NULL) {
5938	DEBUG(0,("enumprinterdrivers_level3: failed to enlarge driver info buffer!\n"));	5938	DEBUG(0,("enumprinterdrivers_level3: failed to enlarge driver info buffer!\n"));
5939	SAFE_FREE(driver_info_3);	5939	SAFE_FREE(driver_info_3);
5940	SAFE_FREE(list);	5940	SAFE_FREE(list);
Lines 6087-6093 Link Here
6087		6087
6088	switch (level) {	6088	switch (level) {
6089	case 1:	6089	case 1:
6090	if ((forms_1=(FORM_1 )malloc(numofforms * sizeof(FORM_1))) == NULL) {	6090	if ((forms_1=(FORM_1 )malloc_array(numofforms, sizeof(FORM_1))) == NULL) {
6091	*numofforms=0;	6091	*numofforms=0;
6092	return WERR_NOMEM;	6092	return WERR_NOMEM;
6093	}	6093	}
Lines 6293-6299 Link Here
6293	close(fd);	6293	close(fd);
6294		6294
6295	if(numlines) {	6295	if(numlines) {
6296	if((ports=(PORT_INFO_1 )malloc( numlines sizeof(PORT_INFO_1) )) == NULL) {	6296	if((ports=(PORT_INFO_1 *)malloc_array( numlines, sizeof(PORT_INFO_1) )) == NULL) {
6297	DEBUG(10,("Returning WERR_NOMEM [%s]\n",	6297	DEBUG(10,("Returning WERR_NOMEM [%s]\n",
6298	dos_errstr(WERR_NOMEM)));	6298	dos_errstr(WERR_NOMEM)));
6299	file_lines_free(qlines);	6299	file_lines_free(qlines);
Lines 6392-6398 Link Here
6392	close(fd);	6392	close(fd);
6393		6393
6394	if(numlines) {	6394	if(numlines) {
6395	if((ports=(PORT_INFO_2 )malloc( numlines sizeof(PORT_INFO_2) )) == NULL) {	6395	if((ports=(PORT_INFO_2 *)malloc_array( numlines, sizeof(PORT_INFO_2) )) == NULL) {
6396	file_lines_free(qlines);	6396	file_lines_free(qlines);
6397	return WERR_NOMEM;	6397	return WERR_NOMEM;
6398	}	6398	}
Lines 6930-6936 Link Here
6930	problems unmarshalling the response */	6930	problems unmarshalling the response */
6931		6931
6932	*out_max_value_len=(in_value_len/sizeof(uint16));	6932	*out_max_value_len=(in_value_len/sizeof(uint16));
6933	if((out_value=(uint16 )talloc_zero(p->mem_ctx, in_value_len*sizeof(uint8))) == NULL)	6933	if((out_value=(uint16 )talloc_zero_array(p->mem_ctx, in_value_len, sizeof(uint8))) == NULL)
6934	return WERR_NOMEM;	6934	return WERR_NOMEM;
6935		6935
6936	out_value_len = (uint32)dos_PutUniCode((char )*out_value, "", in_value_len, True);	6936	out_value_len = (uint32)dos_PutUniCode((char )*out_value, "", in_value_len, True);
Lines 6938-6944 Link Here
6938	/* the data is counted in bytes */	6938	/* the data is counted in bytes */
6939	*out_max_data_len = in_data_len;	6939	*out_max_data_len = in_data_len;
6940	*out_data_len = in_data_len;	6940	*out_data_len = in_data_len;
6941	if((data_out=(uint8 )talloc_zero(p->mem_ctx, in_data_len*sizeof(uint8))) == NULL)	6941	if((data_out=(uint8 )talloc_zero_array(p->mem_ctx, in_data_len, sizeof(uint8))) == NULL)
6942	return WERR_NOMEM;	6942	return WERR_NOMEM;
6943		6943
6944	return WERR_NO_MORE_ITEMS;	6944	return WERR_NO_MORE_ITEMS;
Lines 6956-6962 Link Here
6956	*/	6956	*/
6957		6957
6958	*out_max_value_len=(in_value_len/sizeof(uint16));	6958	*out_max_value_len=(in_value_len/sizeof(uint16));
6959	if((out_value=(uint16 )talloc_zero(p->mem_ctx,in_value_len*sizeof(uint8))) == NULL) {	6959	if((out_value=(uint16 )talloc_zero_array(p->mem_ctx,in_value_len, sizeof(uint8))) == NULL) {
6960	SAFE_FREE(data);	6960	SAFE_FREE(data);
6961	return WERR_NOMEM;	6961	return WERR_NOMEM;
6962	}	6962	}
Lines 6967-6973 Link Here
6967		6967
6968	/* the data is counted in bytes */	6968	/* the data is counted in bytes */
6969	*out_max_data_len=in_data_len;	6969	*out_max_data_len=in_data_len;
6970	if((data_out=(uint8 )talloc_zero(p->mem_ctx, in_data_len*sizeof(uint8))) == NULL) {	6970	if((data_out=(uint8 )talloc_zero_array(p->mem_ctx, in_data_len, sizeof(uint8))) == NULL) {
6971	SAFE_FREE(data);	6971	SAFE_FREE(data);
6972	return WERR_NOMEM;	6972	return WERR_NOMEM;
6973	}	6973	}
Lines 7812-7818 Link Here
7812		7812
7813	/* reply this param doesn't exist */	7813	/* reply this param doesn't exist */
7814	if (*out_size) {	7814	if (*out_size) {
7815	if((data=(uint8 )talloc_zero(p->mem_ctx, out_sizesizeof(uint8))) == NULL)	7815	if((data=(uint8 )talloc_zero_array(p->mem_ctx, *out_size, sizeof(uint8))) == NULL)
7816	return WERR_NOMEM;	7816	return WERR_NOMEM;
7817	} else {	7817	} else {
7818	*data = NULL;	7818	*data = NULL;
Lines 7995-8001 Link Here
7995	PRINTER_ENUM_VALUES *ptr;	7995	PRINTER_ENUM_VALUES *ptr;
7996		7996
7997	DEBUG(10,("retrieved value number [%d] [%s]\n", num_entries, value));	7997	DEBUG(10,("retrieved value number [%d] [%s]\n", num_entries, value));
7998		7998	if((num_entries+1) >= UINT_MAX/sizeof(PRINTER_ENUM_VALUES))
		7999	{
		8000	DEBUG(0,("_spoolss_enumprinterdataex: integer overflow detected.\n"));
		8001	goto done;
		8002	}
7999	if ((ptr=talloc_realloc(p->mem_ctx, enum_values, (num_entries+1) * sizeof(PRINTER_ENUM_VALUES))) == NULL)	8003	if ((ptr=talloc_realloc(p->mem_ctx, enum_values, (num_entries+1) * sizeof(PRINTER_ENUM_VALUES))) == NULL)
8000	{	8004	{
8001	DEBUG(0,("talloc_realloc failed to allocate more memory!\n"));	8005	DEBUG(0,("talloc_realloc failed to allocate more memory!\n"));

Lines 494-500 Link Here

(-)samba-2.2.8a.orig/source/rpc_server/srv_srvsvc_nt.c (-4 / +4 lines)
494	SRV_SHARE_INFO_1 *info1;	494	SRV_SHARE_INFO_1 *info1;
495	int i = 0;	495	int i = 0;
496		496
497	info1 = talloc(ctx, num_entries * sizeof(SRV_SHARE_INFO_1));	497	info1 = talloc_array(ctx, num_entries, sizeof(SRV_SHARE_INFO_1));
498		498
499	for (snum = *resume_hnd; snum < num_services; snum++) {	499	for (snum = *resume_hnd; snum < num_services; snum++) {
500	if (lp_browseable(snum) && lp_snum_ok(snum) && (all_shares \|\| !is_admin_share(snum)) ) {	500	if (lp_browseable(snum) && lp_snum_ok(snum) && (all_shares \|\| !is_admin_share(snum)) ) {
Lines 511-517 Link Here
511	SRV_SHARE_INFO_2 *info2;	511	SRV_SHARE_INFO_2 *info2;
512	int i = 0;	512	int i = 0;
513		513
514	info2 = talloc(ctx, num_entries * sizeof(SRV_SHARE_INFO_2));	514	info2 = talloc_array(ctx, num_entries, sizeof(SRV_SHARE_INFO_2));
515		515
516	for (snum = *resume_hnd; snum < num_services; snum++) {	516	for (snum = *resume_hnd; snum < num_services; snum++) {
517	if (lp_browseable(snum) && lp_snum_ok(snum) && (all_shares \|\| !is_admin_share(snum)) ) {	517	if (lp_browseable(snum) && lp_snum_ok(snum) && (all_shares \|\| !is_admin_share(snum)) ) {
Lines 528-534 Link Here
528	SRV_SHARE_INFO_501 *info501;	528	SRV_SHARE_INFO_501 *info501;
529	int i = 0;	529	int i = 0;
530		530
531	info501 = talloc(ctx, num_entries * sizeof(SRV_SHARE_INFO_501));	531	info501 = talloc_array(ctx, num_entries, sizeof(SRV_SHARE_INFO_501));
532		532
533	for (snum = *resume_hnd; snum < num_services; snum++) {	533	for (snum = *resume_hnd; snum < num_services; snum++) {
534	if (lp_browseable(snum) && lp_snum_ok(snum) && (all_shares \|\| !is_admin_share(snum)) ) {	534	if (lp_browseable(snum) && lp_snum_ok(snum) && (all_shares \|\| !is_admin_share(snum)) ) {
Lines 545-551 Link Here
545	SRV_SHARE_INFO_502 *info502;	545	SRV_SHARE_INFO_502 *info502;
546	int i = 0;	546	int i = 0;
547		547
548	info502 = talloc(ctx, num_entries * sizeof(SRV_SHARE_INFO_502));	548	info502 = talloc_array(ctx, num_entries, sizeof(SRV_SHARE_INFO_502));
549		549
550	for (snum = *resume_hnd; snum < num_services; snum++) {	550	for (snum = *resume_hnd; snum < num_services; snum++) {
551	if (lp_browseable(snum) && lp_snum_ok(snum) && (all_shares \|\| !is_admin_share(snum)) ) {	551	if (lp_browseable(snum) && lp_snum_ok(snum) && (all_shares \|\| !is_admin_share(snum)) ) {

Lines 1009-1025 Link Here

(-)samba-2.2.8a.orig/source/smbd/lanman.c (-4 / +4 lines)
1009	if (lp_snum_ok(i) && lp_print_ok(i) && lp_browseable(i))	1009	if (lp_snum_ok(i) && lp_print_ok(i) && lp_browseable(i))
1010	queuecnt++;	1010	queuecnt++;
1011	if (uLevel > 0) {	1011	if (uLevel > 0) {
1012	if((queue = (print_queue_struct*)malloc(queuecntsizeof(print_queue_struct*))) == NULL) {	1012	if((queue = (print_queue_struct*)malloc_array(queuecnt, sizeof(print_queue_struct))) == NULL) {
1013	DEBUG(0,("api_DosPrintQEnum: malloc fail !\n"));	1013	DEBUG(0,("api_DosPrintQEnum: malloc fail !\n"));
1014	return False;	1014	return False;
1015	}	1015	}
1016	memset(queue,0,queuecntsizeof(print_queue_struct));	1016	memset(queue,0,queuecntsizeof(print_queue_struct));
1017	if((status = (print_status_struct)malloc(queuecntsizeof(print_status_struct))) == NULL) {	1017	if((status = (print_status_struct*)malloc_array(queuecnt, sizeof(print_status_struct))) == NULL) {
1018	DEBUG(0,("api_DosPrintQEnum: malloc fail !\n"));	1018	DEBUG(0,("api_DosPrintQEnum: malloc fail !\n"));
1019	return False;	1019	return False;
1020	}	1020	}
1021	memset(status,0,queuecnt*sizeof(print_status_struct));	1021	memset(status,0,queuecnt*sizeof(print_status_struct));
1022	if((subcntarr = (int)malloc(queuecntsizeof(int))) == NULL) {	1022	if((subcntarr = (int*)malloc_array(queuecnt, sizeof(int))) == NULL) {
1023	DEBUG(0,("api_DosPrintQEnum: malloc fail !\n"));	1023	DEBUG(0,("api_DosPrintQEnum: malloc fail !\n"));
1024	return False;	1024	return False;
1025	}	1025	}
Lines 1136-1142 Link Here
1136		1136
1137	alloced += 10;	1137	alloced += 10;
1138	ts = (struct srv_info_struct *)	1138	ts = (struct srv_info_struct *)
1139	Realloc(servers,sizeof(servers)alloced);	1139	realloc_array(servers, sizeof(*servers), alloced);
1140	if (!ts) {	1140	if (!ts) {
1141	DEBUG(0,("get_server_info: failed to enlarge servers info struct!\n"));	1141	DEBUG(0,("get_server_info: failed to enlarge servers info struct!\n"));
1142	return(0);	1142	return(0);

Lines 67-76 Link Here

(-)samba-2.2.8a.orig/source/utils/make_smbcodepage.c (-2 / +8 lines)
67	pstring linebuf;	67	pstring linebuf;
68	char p = buf;	68	char p = buf;
69	int num_lines = 0;	69	int num_lines = 0;
70	char newbuf = (char )malloc( *size + 1);	70	char *newbuf;
71	char *newbuf_p = NULL;	71	char *newbuf_p = NULL;
72		72
73	if(newbuf == NULL)	73	if(*size == UINT_MAX)
		74	{
		75	fprintf(stderr, "%s: size %lu is too big (integer overflow).\n", prog_name, *size);
		76	exit(1);
		77	}
		78
		79	if((newbuf = (char )malloc( size + 1)) == NULL)
74	{	80	{
75	fprintf(stderr, "%s: malloc fail for size %d.\n", prog_name, *size + 1);	81	fprintf(stderr, "%s: malloc fail for size %d.\n", prog_name, *size + 1);
76	exit(1);	82	exit(1);

Lines 66-75 Link Here

(-)samba-2.2.8a.orig/source/utils/make_unicodemap.c (-2 / +10 lines)
66	pstring linebuf;	66	pstring linebuf;
67	char p = buf;	67	char p = buf;
68	size_t num_lines = 0;	68	size_t num_lines = 0;
69	char newbuf = (char )malloc( *size + 1);	69	char *newbuf;
70	char *newbuf_p = NULL;	70	char *newbuf_p = NULL;
71		71
72	if(newbuf == NULL) {	72
		73	if(*size == UINT_MAX)
		74	{
		75	fprintf(stderr, "%s: size %lu is too big (integer overflow).\n", prog_name, *size);
		76	exit(1);
		77	}
		78
		79	if((newbuf = (char )malloc( size + 1)) == NULL)
		80	{
73	fprintf(stderr, "%s: malloc fail for size %u.\n", prog_name, (unsigned int)(*size + 1));	81	fprintf(stderr, "%s: malloc fail for size %u.\n", prog_name, (unsigned int)(*size + 1));
74	exit(1);	82	exit(1);
75	}	83	}

Lines 94-101 Link Here

(-)samba-2.2.8a.orig/source/web/cgi.c (-2 / +14 lines)
94		94
95	if (i == len) {	95	if (i == len) {
96	char *ret2;	96	char *ret2;
97	if (len == 0) len = 1024;	97	if (len == 0)
98	else len *= 2;	98	{
		99	len = 1024;
		100	}
		101	else
		102	{
		103	if(len >= INT_MAX/2)
		104	{
		105	if(ret)
		106	free(ret);
		107	return NULL;
		108	}
		109	len *= 2;
		110	}
99	ret2 = (char *)Realloc(ret, len);	111	ret2 = (char *)Realloc(ret, len);
100	if (!ret2) return ret;	112	if (!ret2) return ret;
101	ret = ret2;	113	ret = ret2;