* dir.c (glob_helper): get rid of possible memory leak.

* win32/win32.c (cmdglob, rb_w32_cmdvector, rb_w32_opendir,
  rb_w32_get_environ): not to use GC before initialization.
  [ruby-core:09024]


git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@11245 b2dd03c8-39d4-4d8f-98ff-823fe69b080e

3 files changed, 108 insertions, 30 deletions

diff --git a/ChangeLog b/ChangeLog
index 29b800fd62..4f992fd936 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,10 @@
+Mon Oct 30 23:22:43 2006  Nobuyoshi Nakada  <nobu@ruby-lang.org>
+
+	* dir.c (glob_helper): get rid of possible memory leak.
+
+	* win32/win32.c (cmdglob, rb_w32_cmdvector, rb_w32_opendir,
+	  rb_w32_get_environ): not to use GC before initialization.
+
 Mon Oct 30 19:28:02 2006  NAKAMURA Usaku  <usa@ruby-lang.org>
 
 	* bignum.c (rb_big2str0): use better approximation.
diff --git a/dir.c b/dir.c
index a7d85f9f5a..22d3400fe4 100644
--- a/dir.c
+++ b/dir.c
@@ -922,7 +922,11 @@ sys_warning_1(const char* mesg)
 
 #define GLOB_VERBOSE	(1UL << (sizeof(int) * CHAR_BIT - 1))
 #define sys_warning(val) \
-    ((flags & GLOB_VERBOSE) && rb_protect((VALUE (*)_((VALUE)))sys_warning_1, (VALUE)(val), 0))
+    (void)((flags & GLOB_VERBOSE) && rb_protect((VALUE (*)_((VALUE)))sys_warning_1, (VALUE)(val), 0))
+
+#define GLOB_ALLOC(type) (type *)malloc(sizeof(type))
+#define GLOB_ALLOC_N(type, n) (type *)malloc(sizeof(type) * (n))
+#define GLOB_JUMP_TAG(status) ((status == -1) ? rb_memerror() : rb_jump_tag(status))
 
 /* System call with warning */
 static int
@@ -1058,6 +1062,8 @@ struct glob_pattern {
     struct glob_pattern *next;
 };
 
+static void glob_free_pattern(struct glob_pattern *list);
+
 static struct glob_pattern *
 glob_make_pattern(const char *p, int flags)
 {
@@ -1065,7 +1071,8 @@ glob_make_pattern(const char *p, int flags)
     int dirsep = 0; /* pattern is terminated with '/' */
 
     while (*p) {
-	tmp = ALLOC(struct glob_pattern);
+	tmp = GLOB_ALLOC(struct glob_pattern);
+	if (!tmp) goto error;
 	if (p[0] == '*' && p[1] == '*' && p[2] == '/') {
 	    /* fold continuous RECURSIVEs (needed in glob_helper) */
 	    do { p += 3; } while (p[0] == '*' && p[1] == '*' && p[2] == '/');
@@ -1075,7 +1082,11 @@ glob_make_pattern(const char *p, int flags)
 	}
 	else {
 	    const char *m = find_dirsep(p, flags);
-	    char *buf = ALLOC_N(char, m-p+1);
+	    char *buf = GLOB_ALLOC_N(char, m-p+1);
+	    if (!buf) {
+		free(tmp);
+		goto error;
+	    }
 	    memcpy(buf, p, m-p);
 	    buf[m-p] = '\0';
 	    tmp->type = has_magic(buf, flags) ? MAGICAL : PLAIN;
@@ -1093,7 +1104,13 @@ glob_make_pattern(const char *p, int flags)
 	tail = &tmp->next;
     }
 
-    tmp = ALLOC(struct glob_pattern);
+    tmp = GLOB_ALLOC(struct glob_pattern);
+    if (!tmp) {
+      error:
+	*tail = 0;
+	glob_free_pattern(list);
+	return 0;
+    }
     tmp->type = dirsep ? MATCH_DIR : MATCH_ALL;
     tmp->str = 0;
     *tail = tmp;
@@ -1118,8 +1135,9 @@ static char *
 join_path(const char *path, int dirsep, const char *name)
 {
     long len = strlen(path);
-    char *buf = ALLOC_N(char, len+strlen(name)+(dirsep?1:0)+1);
+    char *buf = GLOB_ALLOC_N(char, len+strlen(name)+(dirsep?1:0)+1);
 
+    if (!buf) return 0;
     memcpy(buf, path, len);
     if (dirsep) {
 	strcpy(buf+len, "/");
@@ -1229,6 +1247,7 @@ glob_helper(
 	}
 	if (match_dir && isdir == YES) {
 	    char *tmp = join_path(path, dirsep, "");
+	    if (!tmp) return -1;
 	    status = glob_call_func(func, tmp, arg);
 	    free(tmp);
 	    if (status) return status;
@@ -1244,8 +1263,12 @@ glob_helper(
 
 	for (dp = readdir(dirp); dp != NULL; dp = readdir(dirp)) {
 	    char *buf = join_path(path, dirsep, dp->d_name);
-
 	    enum answer new_isdir = UNKNOWN;
+
+	    if (!buf) {
+		status = -1;
+		break;
+	    }
 	    if (recursive && strcmp(dp->d_name, ".") != 0 && strcmp(dp->d_name, "..") != 0
 		&& fnmatch("*", dp->d_name, flags) == 0) {
 #ifndef _WIN32
@@ -1258,7 +1281,11 @@ glob_helper(
 #endif
 	    }
 
-	    new_beg = new_end = ALLOC_N(struct glob_pattern *, (end - beg) * 2);
+	    new_beg = new_end = GLOB_ALLOC_N(struct glob_pattern *, (end - beg) * 2);
+	    if (!new_beg) {
+		status = -1;
+		break;
+	    }
 
 	    for (cur = beg; cur < end; ++cur) {
 		struct glob_pattern *p = *cur;
@@ -1284,7 +1311,8 @@ glob_helper(
     else if (plain) {
 	struct glob_pattern **copy_beg, **copy_end, **cur2;
 
-	copy_beg = copy_end = ALLOC_N(struct glob_pattern *, end - beg);
+	copy_beg = copy_end = GLOB_ALLOC_N(struct glob_pattern *, end - beg);
+	if (!copy_beg) return -1;
 	for (cur = beg; cur < end; ++cur)
 	    *copy_end++ = (*cur)->type == PLAIN ? *cur : 0;
 
@@ -1292,11 +1320,20 @@ glob_helper(
 	    if (*cur) {
 		char *buf;
 		char *name;
-		name = ALLOC_N(char, strlen((*cur)->str) + 1);
+		name = GLOB_ALLOC_N(char, strlen((*cur)->str) + 1);
+		if (!name) {
+		    status = -1;
+		    break;
+		}
 		strcpy(name, (*cur)->str);
 		if (escape) remove_backslashes(name);
 
-		new_beg = new_end = ALLOC_N(struct glob_pattern *, end - beg);
+		new_beg = new_end = GLOB_ALLOC_N(struct glob_pattern *, end - beg);
+		if (!new_beg) {
+		    free(name);
+		    status = -1;
+		    break;
+		}
 		*new_end++ = (*cur)->next;
 		for (cur2 = cur + 1; cur2 < copy_end; ++cur2) {
 		    if (*cur2 && fnmatch((*cur2)->str, name, flags) == 0) {
@@ -1307,6 +1344,11 @@ glob_helper(
 
 		buf = join_path(path, dirsep, name);
 		free(name);
+		if (!buf) {
+		    free(new_beg);
+		    status = -1;
+		    break;
+		}
 		status = glob_helper(buf, 1, UNKNOWN, UNKNOWN, new_beg, new_end, flags, func, arg);
 		free(buf);
 		free(new_beg);
@@ -1338,11 +1380,16 @@ ruby_glob0(const char *path, int flags, ruby_glob_func *func, VALUE arg)
     if (root && *root == '/') root++;
 
     n = root - start;
-    buf = ALLOC_N(char, n + 1);
+    buf = GLOB_ALLOC_N(char, n + 1);
+    if (!buf) return -1;
     MEMCPY(buf, start, char, n);
     buf[n] = '\0';
 
     list = glob_make_pattern(root, flags);
+    if (!list) {
+	free(buf);
+	return -1;
+    }
     status = glob_helper(buf, 0, UNKNOWN, UNKNOWN, &list, &list + 1, flags, func, arg);
     glob_free_pattern(list);
     free(buf);
@@ -1386,7 +1433,7 @@ void
 rb_glob(const char *path, void (*func)(const char *, VALUE), VALUE arg)
 {
     int status = rb_glob2(path, 0, func, arg);
-    if (status) rb_jump_tag(status);
+    if (status) GLOB_JUMP_TAG(status);
 }
 
 static void
@@ -1419,9 +1466,10 @@ ruby_brace_expand(const char *str, int flags, ruby_glob_func *func, VALUE arg)
     }
 
     if (lbrace && rbrace) {
-	char *buf = ALLOC_N(char, strlen(s) + 1);
+	char *buf = GLOB_ALLOC_N(char, strlen(s) + 1);
 	long shift;
 
+	if (!buf) return -1;
 	memcpy(buf, s, lbrace-s);
 	shift = (lbrace-s);
 	p = lbrace;
@@ -1503,7 +1551,7 @@ rb_push_glob(VALUE str, int flags) /* '\0' is delimiter */
     while (offset < RSTRING_LEN(str)) {
 	int status = push_glob(ary, RSTRING_PTR(str) + offset, flags);
 	char *p, *pend;
-	if (status) rb_jump_tag(status);
+	if (status) GLOB_JUMP_TAG(status);
 	if (offset >= RSTRING_LEN(str)) break;
 	p = RSTRING_PTR(str) + offset;
 	p += strlen(p) + 1;
@@ -1527,7 +1575,7 @@ dir_globs(long argc, VALUE *argv, int flags)
 	VALUE str = argv[i];
 	StringValue(str);
 	status = push_glob(ary, RSTRING_PTR(str), flags);
-	if (status) rb_jump_tag(status);
+	if (status) GLOB_JUMP_TAG(status);
     }
 
     return ary;
diff --git a/win32/win32.c b/win32/win32.c
index 7c7f310bb0..a8e755e1ff 100644
--- a/win32/win32.c
+++ b/win32/win32.c
@@ -410,7 +410,8 @@ init_env(void)
 	NTLoginName = "<Unknown>";
 	return;
     }
-    NTLoginName = ALLOC_N(char, len+1);
+    NTLoginName = (char *)malloc(len+1);
+    if (!NTLoginName) return;
     strncpy(NTLoginName, env, len);
     NTLoginName[len] = '\0';
 }
@@ -1059,10 +1060,12 @@ insert(const char *path, VALUE vinfo)
     NtCmdLineElement *tmpcurr;
     NtCmdLineElement ***tail = (NtCmdLineElement ***)vinfo;
 
-    tmpcurr = ALLOC(NtCmdLineElement);
+    tmpcurr = (NtCmdLineElement *)malloc(sizeof(NtCmdLineElement));
+    if (!tmpcurr) return -1;
     MEMZERO(tmpcurr, NtCmdLineElement, 1);
     tmpcurr->len = strlen(path);
-    tmpcurr->str = ALLOC_N(char, tmpcurr->len + 1);
+    tmpcurr->str = (char *)malloc(tmpcurr->len + 1);
+    if (!tmpcurr->str) return -1;
     tmpcurr->flags |= NTMALLOC;
     strcpy(tmpcurr->str, path);
     **tail = tmpcurr;
@@ -1084,20 +1087,21 @@ cmdglob(NtCmdLineElement *patt, NtCmdLineElement **tail)
     char buffer[MAXPATHLEN], *buf = buffer;
     char *p;
     NtCmdLineElement **last = tail;
+    int status;
 
     if (patt->len >= MAXPATHLEN)
-	buf = ruby_xmalloc(patt->len + 1);
+	if (!(buf = malloc(patt->len + 1))) return 0;
 
     strncpy (buf, patt->str, patt->len);
     buf[patt->len] = '\0';
     for (p = buf; *p; p = CharNext(p))
 	if (*p == '\\')
 	    *p = '/';
-    ruby_brace_glob(buf, 0, insert, (VALUE)&tail);
+    status = ruby_brace_glob(buf, 0, insert, (VALUE)&tail);
     if (buf != buffer)
 	free(buf);
 
-    if (last == tail) return 0;
+    if (status || last == tail) return 0;
     if (patt->flags & NTMALLOC)
 	free(patt->str);
     free(patt);
@@ -1321,8 +1325,8 @@ rb_w32_cmdvector(const char *cmd, char ***vec)
 	    }
 	}
 
-	curr = ALLOC(NtCmdLineElement);
-	MEMZERO(curr, NtCmdLineElement, 1);
+	curr = (NtCmdLineElement *)calloc(sizeof(NtCmdLineElement), 1);
+	if (!curr) goto do_nothing;
 	curr->str = base;
 	curr->len = len;
 
@@ -1347,7 +1351,18 @@ rb_w32_cmdvector(const char *cmd, char ***vec)
     }
 
     len = (elements+1)*sizeof(char *) + strsz;
-    buffer = ALLOC_N(char, len);
+    buffer = (char *)malloc(len);
+    if (!buffer) {
+      do_nothing:
+	while (curr = cmdhead) {
+	    cmdhead = curr->next;
+	    if (curr->flags & NTMALLOC) free(curr->str);
+	    free(curr);
+	}
+	free(cmdline);
+	for (vptr = *vec; *vptr; ++vptr);
+	return vptr - *vec;
+    }
     
     //
     // make vptr point to the start of the buffer
@@ -1447,6 +1462,7 @@ rb_w32_opendir(const char *filename)
     fh = FindFirstFile(scanname, &fd);
     if (fh == INVALID_HANDLE_VALUE) {
 	errno = map_errno(GetLastError());
+	free(p);
 	return NULL;
     }
 
@@ -1456,9 +1472,14 @@ rb_w32_opendir(const char *filename)
     //
 
     idx = strlen(fd.cFileName)+1;
-    p->start = ALLOC_N(char, idx);
+    if (!(p->start = (char *)malloc(idx)) || !(p->bits = (char *)malloc(1))) {
+      error:
+	rb_w32_closedir(p);
+	FindClose(fh);
+	errno = ENOMEM;
+	return NULL;
+    }
     strcpy(p->start, fd.cFileName);
-    p->bits = ALLOC_N(char, 1);
     p->bits[0] = 0;
     if (fd.dwFileAttributes & FILE_ATTRIBUTE_DIRECTORY)
 	SetBit(p->bits, 0);
@@ -1484,14 +1505,14 @@ rb_w32_opendir(const char *filename)
 
 	Renew (p->start, idx+len+1, char);
 	if (p->start == NULL) {
-            rb_fatal ("opendir: malloc failed!\n");
+	    goto error;
 	}
 	strcpy(&p->start[idx], fd.cFileName);
 
 	if (p->nfiles % 4 == 0) {
 	    Renew (p->bits, p->nfiles / 4 + 1, char);
 	    if (p->bits == NULL) {
-		rb_fatal ("opendir: malloc failed!\n");
+		goto error;
 	    }
 	    p->bits[p->nfiles / 4] = 0;
 	}
@@ -3981,10 +4002,12 @@ rb_w32_get_environ(void)
     for (env = envtop, num = 0; *env; env += strlen(env) + 1)
 	if (*env != '=') num++;
 
-    myenvtop = ALLOC_N(char*, num + 1);
+    myenvtop = (char **)malloc(sizeof(char *) * (num + 1));
     for (env = envtop, myenv = myenvtop; *env; env += strlen(env) + 1) {
 	if (*env != '=') {
-	    *myenv = ALLOC_N(char, strlen(env) + 1);
+	    if (!(*myenv = (char *)malloc(strlen(env) + 1))) {
+		break;
+	    }
 	    strcpy(*myenv, env);
 	    myenv++;
 	}