Author: Jim Meyering ruby -v: ruby 1.9.3dev (2010-06-29 trunk 28473) [x86_64-linux] Here is a patch to fix two NULL-dereference problems in st.c's st_init_table_with_size function. Its malloc and calloc return values were not checked for NULL. However, there is another problem not fixed by the patch below. The ADD_DIRECT macro calls "alloc" (aka malloc), and immediately dereferences the result. A minimal patch would be to use xmalloc in place of alloc here, but I don't know if such semantics would be appropriate. #define ADD_DIRECT(table, key, value, hash_val, bin_pos)\ do {\ st_table_entry *entry;\ if (table->num_entries > ST_DEFAULT_MAX_DENSITY * table->num_bins) {\ rehash(table);\ bin_pos = hash_val % table->num_bins;\ }\ \ entry = alloc(st_table_entry);\ \ entry->hash = hash_val;\ ... Tue Jun 29 15:04:38 2010 Jim Meyering <meyering / redhat.com> st.c: do not dereference NULL upon allocation failure * st.c (st_init_table_with_size): Handle NULL-return from calloc and malloc. From a0803a034b2cc26748eed586afbdae27651ccdcb Mon Sep 17 00:00:00 2001 From: Jim Meyering <meyering / redhat.com> Date: Tue, 29 Jun 2010 08:06:10 +0200 Subject: [PATCH] st.c: do not dereference NULL upon allocation failure * st.c (st_init_table_with_size): Handle NULL-return from calloc and malloc. --- st.c | 6 ++++++ 1 files changed, 6 insertions(+), 0 deletions(-) diff --git a/st.c b/st.c index ec518e9..47b0f2f 100644 --- a/st.c +++ b/st.c @@ -184,11 +184,17 @@ st_init_table_with_size(const struct st_hash_type *type, st_index_t size) size = new_size(size); /* round up to prime number */ tbl = alloc(st_table); + if (tbl == NULL) + return NULL; tbl->type = type; tbl->num_entries = 0; tbl->entries_packed = type == &type_numhash && size/2 <= MAX_PACKED_NUMHASH; tbl->num_bins = size; tbl->bins = (st_table_entry **)Calloc(size, sizeof(st_table_entry*)); + if (!tbl->bins) { + free (tbl); + return NULL; + } tbl->head = 0; tbl->tail = 0; -- 1.7.2.rc0.206.g3336