From owner-acpi-jp@jp.freebsd.org  Sat Aug 12 20:01:14 2000
Received: (from daemon@localhost)
	by castle.jp.freebsd.org (8.9.3+3.2W/8.7.3) id UAA98882;
	Sat, 12 Aug 2000 20:01:14 +0900 (JST)
	(envelope-from owner-acpi-jp@jp.FreeBSD.org)
Received: from tasogare.imasy.or.jp (daemon@tasogare.imasy.or.jp [202.227.24.5])
	by castle.jp.freebsd.org (8.9.3+3.2W/8.7.3) with ESMTP id UAA98877
	for <acpi-jp@jp.freebsd.org>; Sat, 12 Aug 2000 20:01:14 +0900 (JST)
	(envelope-from iwasaki@jp.FreeBSD.org)
Received: from localhost (iwasaki.imasy.or.jp [202.227.24.92])
	by tasogare.imasy.or.jp (8.10.2+3.3W/3.7W-tasogare/smtpfeed 1.07) with ESMTP id e7CB1CZ47155
	for <acpi-jp@jp.freebsd.org>; Sat, 12 Aug 2000 20:01:12 +0900 (JST)
	(envelope-from iwasaki@jp.FreeBSD.org)
To: acpi-jp@jp.freebsd.org
X-Mailer: Mew version 1.94.1 on Emacs 19.34 / Mule 2.3 (SUETSUMUHANA)
Mime-Version: 1.0
Content-Type: Text/Plain; charset=iso-2022-jp
Content-Transfer-Encoding: 7bit
Message-Id: <20000812200108I.iwasaki@jp.FreeBSD.org>
Date: Sat, 12 Aug 2000 20:01:08 +0900
From: Mitsuru IWASAKI <iwasaki@jp.freebsd.org>
X-Dispatcher: imput version 20000228(IM140)
Lines: 186
Reply-To: acpi-jp@jp.freebsd.org
Precedence: list
X-Distribute: distribute version 2.1 (Alpha) patchlevel 24e+000315
X-Sequence: acpi-jp 567
Subject: [acpi-jp 567] bug fix: zero size memory allocation
Errors-To: owner-acpi-jp@jp.freebsd.org
Sender: owner-acpi-jp@jp.freebsd.org
X-Originator: iwasaki@jp.freebsd.org

Mike $B$H$d$j<h$j$7$F$$$k$&$A$K!"(Binterpreter $B$K(B bug $B$rH/8+$7$^$7$?!#(B
memman_alloc_flexsize() $B$r8F$V$H$3$m$G(B size 0 $B$+$I$&$+$N%A%'%C%/$,(B
$BI,MW$G$7$?!#$H$j$"$($:3:Ev8D=j$rA4It@v$$=P$7$F$=$l$J$j$N=hM}$r(B
$BDI2C$7$F$*$-$^$7$?!#(B
$B:#HU?<Lk$K(B commit $B$7$F$*$-$^$9!#(B

Index: aml_obj.c
===================================================================
RCS file: /home/cvs/ACPI/sys/dev/acpi/aml/aml_obj.c,v
retrieving revision 1.16
diff -u -r1.16 aml_obj.c
--- aml_obj.c	2000/08/09 14:47:43	1.16
+++ aml_obj.c	2000/08/12 10:08:03
@@ -65,6 +65,9 @@
 		ret = aml_alloc_object(aml_t_buffer, 0);
 		ret->buffer.size = (orig->regfield.bitlen / 8) +
 		    ((orig->regfield.bitlen % 8) ? 1 : 0);
+		if (ret->buffer.size == 0) {
+			goto out;
+		}
 		ret->buffer.data = memman_alloc_flexsize(aml_memman, ret->buffer.size);
 		aml_store_to_object(env, orig, ret);
 		break;
@@ -76,10 +79,16 @@
 
 	if (1 || orig != &env->tempobject) {	/* XXX */
 		if (orig->type == aml_t_buffer) {
+			if (orig->buffer.size == 0) {
+				goto out;
+			}
 			ret->buffer.data = memman_alloc_flexsize(aml_memman,
 			    orig->buffer.size);
 			bcopy(orig->buffer.data, ret->buffer.data, orig->buffer.size);
 		} else if (orig->type == aml_t_package) {
+			if (oret->package.elements == 0) {
+				goto out;
+			}
 			ret->package.objects = memman_alloc_flexsize(aml_memman,
 			    ret->package.elements * sizeof(union aml_object *));
 			for (i = 0; i < ret->package.elements; i++) {
@@ -96,6 +105,7 @@
 		printf("%s:%d\n", __FILE__, __LINE__);
 		env->tempobject.type = aml_t_null;
 	}
+out:
 	return ret;
 }
 
@@ -217,7 +227,7 @@
 	type = obj->type;
 	switch (type) {
 	case aml_t_buffer:
-		if (obj->buffer.size > size) {
+		if (obj->buffer.size >= size) {
 			return;
 		}
 		tmp.buffer.size = size;
@@ -228,7 +238,7 @@
 		*obj = tmp;
 		break;
 	case aml_t_string:
-		if (strlen(obj->str.string) > size) {
+		if (strlen(obj->str.string) >= size) {
 			return;
 		}
 		tmp.str.string = memman_alloc_flexsize(aml_memman, size + 1);
@@ -237,7 +247,7 @@
 		*obj = tmp;
 		break;
 	case aml_t_package:
-		if (obj->package.elements > size) {
+		if (obj->package.elements >= size) {
 			return;
 		}
 		tmp.package.objects = memman_alloc_flexsize(aml_memman,
Index: aml_parse.c
===================================================================
RCS file: /home/cvs/ACPI/sys/dev/acpi/aml/aml_parse.c,v
retrieving revision 1.31
diff -u -r1.31 aml_parse.c
--- aml_parse.c	2000/08/09 14:47:43	1.31
+++ aml_parse.c	2000/08/12 09:51:09
@@ -364,19 +364,23 @@
 	size1 = aml_objtonum(env, obj);
 	size2 = end - env->dp;
 	size = (size1 < size2) ? size1 : size2;
-	buffer = memman_alloc_flexsize(aml_memman, size1);
-	if (buffer == NULL) {
-		AML_DEBUGPRINT("NO MEMORY\n");
-		env->stat = aml_stat_panic;
-		return (NULL);
+	if (size1 > 0) {
+		buffer = memman_alloc_flexsize(aml_memman, size1);
+		if (buffer == NULL) {
+			AML_DEBUGPRINT("NO MEMORY\n");
+			env->stat = aml_stat_panic;
+			return (NULL);
+		}
+		bzero(buffer, size1);
+		bcopy(env->dp, buffer, size);
+	} else {
+		buffer = NULL;
 	}
-	bzero(buffer, size1);
 
 	obj = &env->tempobject;
 	obj->type = aml_t_buffer;
 	obj->buffer.size = size1;
 	obj->buffer.data = buffer;
-	bcopy(env->dp, buffer, size);
 	AML_DEBUGPRINT(") ");
 	env->dp = end;
 
@@ -429,10 +433,20 @@
 	env->tempname.property = resobj;
 	resobj->buffer.type = aml_t_buffer;
 	resobj->buffer.size = tmpobj2->buffer.size + obj->buffer.size;
-	resobj->buffer.data = memman_alloc_flexsize(aml_memman, resobj->buffer.size);
-	bcopy(obj->buffer.data, resobj->buffer.data, obj->buffer.size);
-	bcopy(tmpobj2->buffer.data, resobj->buffer.data + obj->buffer.size,
-	    tmpobj2->buffer.size);
+	if (resobj->buffer.size > 0) {
+		resobj->buffer.data = memman_alloc_flexsize(aml_memman,
+		    resobj->buffer.size);
+		if (resobj->buffer.data == NULL) {
+			env->stat = aml_stat_panic;
+			return (NULL);
+		}
+		bcopy(obj->buffer.data, resobj->buffer.data, obj->buffer.size);
+		bcopy(tmpobj2->buffer.data,
+		    resobj->buffer.data + obj->buffer.size,
+		    tmpobj2->buffer.size);
+	} else {
+		resobj->buffer.data = NULL;
+	}
 	aml_free_object(&tmpobj2);
 	aml_store_to_name(env, resobj, destname);
 	return (&env->tempname);
@@ -460,9 +474,17 @@
 	resobj->type = aml_t_buffer;
 	resobj->str.needfree = 1;
 	len = strlen(obj->str.string) + strlen(tmpobj2->str.string) + 1;
-	resobj->str.string = memman_alloc_flexsize(aml_memman, len);
-	strncpy(resobj->str.string, obj->str.string, len);
-	strcat(resobj->str.string, tmpobj->str.string);
+	if (len > 0) {
+		resobj->str.string = memman_alloc_flexsize(aml_memman, len);
+		if (resobj->str.string == NULL) {
+			env->stat = aml_stat_panic;
+			return (NULL);
+		}
+		strncpy(resobj->str.string, obj->str.string, len);
+		strcat(resobj->str.string, tmpobj->str.string);
+	} else {
+		resobj->str.string = NULL;
+	}
 	aml_free_object(&tmpobj2);
 	aml_store_to_name(env, resobj, destname);
 	return (&env->tempname);
@@ -525,13 +547,19 @@
 		env->stat = aml_stat_panic;
 		return (NULL);
 	}
-	objects = memman_alloc_flexsize(aml_memman,
-	    numelements * sizeof(union aml_object *));
-	if (objects == NULL) {
-		env->stat = aml_stat_panic;
-		return (NULL);
+	if (numelements > 0) {
+		objects = memman_alloc_flexsize(aml_memman,
+		    numelements * sizeof(union aml_object *));
+		if (objects == NULL) {
+			env->stat = aml_stat_panic;
+			return (NULL);
+		} else {
+			bzero(objects, numelements * sizeof(union aml_object *));
+		}
+	} else {
+		objects = NULL;
 	}
-	bzero(objects, numelements * sizeof(union aml_object *));
+
 	*copy = *env;
 	env->dp = copy->end = start + pkglength;
 	AML_DEBUGPRINT("Package() {\n");

