Blame SOURCES/glibc-rh797094-2.patch

b40826
From: Ulrich Drepper <drepper@gmail.com>
b40826
Date: Mon, 23 May 2011 03:04:16 +0000 (-0400)
b40826
Subject: Add a few more alloca size checks
b40826
X-Git-Tag: glibc-2.14~41
b40826
X-Git-Url: http://sourceware.org/git/?p=glibc.git;a=commitdiff_plain;h=f2962a71959fd254a7a223437ca4b63b9e81130c
b40826
b40826
Add a few more alloca size checks
b40826
---
b40826
b40826
 2011-05-22  Ulrich Drepper  <drepper@gmail.com>
b40826
 
b40826
	[BZ #12671]
b40826
	* nis/nss_nis/nis-alias.c (_nss_nis_getaliasbyname_r): Use malloc in
b40826
	some situations.
b40826
	* nscd/nscd_getserv_r.c (nscd_getserv_r): Likewise.
b40826
	* posix/glob.c (glob_in_dir): Take additional parameter alloca_used.
b40826
	add in in __libc_use_alloca calls.  Adjust callers.
b40826
	(glob): Use malloc in some situations.
b40826
diff --git a/nis/nss_nis/nis-alias.c b/nis/nss_nis/nis-alias.c
b40826
index 9286e36..cfe4097 100644
b40826
--- a/nis/nss_nis/nis-alias.c
b40826
+++ b/nis/nss_nis/nis-alias.c
b40826
@@ -1,4 +1,4 @@
b40826
-/* Copyright (C) 1996-2002, 2003, 2006 Free Software Foundation, Inc.
b40826
+/* Copyright (C) 1996-2002, 2003, 2006, 2011 Free Software Foundation, Inc.
b40826
    This file is part of the GNU C Library.
b40826
    Contributed by Thorsten Kukuk <kukuk@vt.uni-paderborn.de>, 1996.
b40826
 
b40826
@@ -142,10 +142,10 @@ internal_nis_getaliasent_r (struct aliasent *alias, char *buffer,
b40826
       int yperr;
b40826
 
b40826
       if (new_start)
b40826
-        yperr = yp_first (domain, "mail.aliases", &outkey, &keylen, &result,
b40826
+	yperr = yp_first (domain, "mail.aliases", &outkey, &keylen, &result,
b40826
 			  &len;;
b40826
       else
b40826
-        yperr = yp_next (domain, "mail.aliases", oldkey, oldkeylen, &outkey,
b40826
+	yperr = yp_next (domain, "mail.aliases", oldkey, oldkeylen, &outkey,
b40826
 			 &keylen, &result, &len;;
b40826
 
b40826
       if (__builtin_expect (yperr != YPERR_SUCCESS, 0))
b40826
@@ -153,20 +153,20 @@ internal_nis_getaliasent_r (struct aliasent *alias, char *buffer,
b40826
 	  enum nss_status retval = yperr2nss (yperr);
b40826
 
b40826
 	  if (retval == NSS_STATUS_TRYAGAIN)
b40826
-            *errnop = errno;
b40826
-          return retval;
b40826
-        }
b40826
+	    *errnop = errno;
b40826
+	  return retval;
b40826
+	}
b40826
 
b40826
       if (__builtin_expect ((size_t) (len + 1) > buflen, 0))
b40826
-        {
b40826
+	{
b40826
 	  free (result);
b40826
-          *errnop = ERANGE;
b40826
-          return NSS_STATUS_TRYAGAIN;
b40826
-        }
b40826
+	  *errnop = ERANGE;
b40826
+	  return NSS_STATUS_TRYAGAIN;
b40826
+	}
b40826
       char *p = strncpy (buffer, result, len);
b40826
       buffer[len] = '\0';
b40826
       while (isspace (*p))
b40826
-        ++p;
b40826
+	++p;
b40826
       free (result);
b40826
 
b40826
       parse_res = _nss_nis_parse_aliasent (outkey, p, alias, buffer,
b40826
@@ -213,13 +213,25 @@ _nss_nis_getaliasbyname_r (const char *name, struct aliasent *alias,
b40826
       return NSS_STATUS_UNAVAIL;
b40826
     }
b40826
 
b40826
-  size_t namlen = strlen (name);
b40826
-  char name2[namlen + 1];
b40826
-
b40826
   char *domain;
b40826
   if (__builtin_expect (yp_get_default_domain (&domain), 0))
b40826
     return NSS_STATUS_UNAVAIL;
b40826
 
b40826
+  size_t namlen = strlen (name);
b40826
+  char *name2;
b40826
+  int use_alloca = __libc_use_alloca (namlen + 1);
b40826
+  if (use_alloca)
b40826
+    name2 = __alloca (namlen + 1);
b40826
+  else
b40826
+    {
b40826
+      name2 = malloc (namlen + 1);
b40826
+      if (name2 == NULL)
b40826
+	{
b40826
+	  *errnop = ENOMEM;
b40826
+	  return NSS_STATUS_TRYAGAIN;
b40826
+	}
b40826
+    }
b40826
+
b40826
   /* Convert name to lowercase.  */
b40826
   size_t i;
b40826
   for (i = 0; i < namlen; ++i)
b40826
@@ -230,6 +242,9 @@ _nss_nis_getaliasbyname_r (const char *name, struct aliasent *alias,
b40826
   int len;
b40826
   int yperr = yp_match (domain, "mail.aliases", name2, namlen, &result, &len;;
b40826
 
b40826
+  if (!use_alloca)
b40826
+    free (name2);
b40826
+
b40826
   if (__builtin_expect (yperr != YPERR_SUCCESS, 0))
b40826
     {
b40826
       enum nss_status retval = yperr2nss (yperr);
b40826
diff --git a/nscd/nscd_getserv_r.c b/nscd/nscd_getserv_r.c
b40826
index dce4165..de96a57 100644
b40826
--- a/nscd/nscd_getserv_r.c
b40826
+++ b/nscd/nscd_getserv_r.c
b40826
@@ -1,4 +1,4 @@
b40826
-/* Copyright (C) 2007, 2009 Free Software Foundation, Inc.
b40826
+/* Copyright (C) 2007, 2009, 2011 Free Software Foundation, Inc.
b40826
    This file is part of the GNU C Library.
b40826
    Contributed by Ulrich Drepper <drepper@redhat.com>, 2007.
b40826
 
b40826
@@ -17,6 +17,7 @@
b40826
    Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA
b40826
    02111-1307 USA.  */
b40826
 
b40826
+#include <assert.h>
b40826
 #include <errno.h>
b40826
 #include <string.h>
b40826
 #include <not-cancel.h>
b40826
@@ -80,6 +81,7 @@ nscd_getserv_r (const char *crit, size_t critlen, const char *proto,
b40826
 {
b40826
   int gc_cycle;
b40826
   int nretries = 0;
b40826
+  size_t alloca_used = 0;
b40826
 
b40826
   /* If the mapping is available, try to search there instead of
b40826
      communicating with the nscd.  */
b40826
@@ -88,13 +90,23 @@ nscd_getserv_r (const char *crit, size_t critlen, const char *proto,
b40826
 			       &gc_cycle);
b40826
   size_t protolen = proto == NULL ? 0 : strlen (proto);
b40826
   size_t keylen = critlen + 1 + protolen + 1;
b40826
-  char *key = alloca (keylen);
b40826
+  int alloca_key = __libc_use_alloca (keylen);
b40826
+  char *key;
b40826
+  if (alloca_key)
b40826
+    key = alloca_account (keylen, alloca_used);
b40826
+  else
b40826
+    {
b40826
+      key = malloc (keylen);
b40826
+      if (key == NULL)
b40826
+	return -1;
b40826
+    }
b40826
   memcpy (__mempcpy (__mempcpy (key, crit, critlen),
b40826
 		     "/", 1), proto ?: "", protolen + 1);
b40826
 
b40826
  retry:;
b40826
   const char *s_name = NULL;
b40826
   const char *s_proto = NULL;
b40826
+  int alloca_aliases_len = 0;
b40826
   const uint32_t *aliases_len = NULL;
b40826
   const char *aliases_list = NULL;
b40826
   int retval = -1;
b40826
@@ -136,8 +148,22 @@ nscd_getserv_r (const char *crit, size_t critlen, const char *proto,
b40826
 	  if (((uintptr_t) aliases_len & (__alignof__ (*aliases_len) - 1))
b40826
 	      != 0)
b40826
 	    {
b40826
-	      uint32_t *tmp = alloca (serv_resp.s_aliases_cnt
b40826
-				      * sizeof (uint32_t));
b40826
+	      uint32_t *tmp;
b40826
+	      alloca_aliases_len
b40826
+		= __libc_use_alloca (alloca_used
b40826
+				     + (serv_resp.s_aliases_cnt
b40826
+					* sizeof (uint32_t)));
b40826
+	      if (alloca_aliases_len)
b40826
+		tmp = __alloca (serv_resp.s_aliases_cnt * sizeof (uint32_t));
b40826
+	      else
b40826
+		{
b40826
+		  tmp = malloc (serv_resp.s_aliases_cnt * sizeof (uint32_t));
b40826
+		  if (tmp == NULL)
b40826
+		    {
b40826
+		      retval = ENOMEM;
b40826
+		      goto out;
b40826
+		    }
b40826
+		}
b40826
 	      aliases_len = memcpy (tmp, aliases_len,
b40826
 				    serv_resp.s_aliases_cnt
b40826
 				    * sizeof (uint32_t));
b40826
@@ -217,8 +243,24 @@ nscd_getserv_r (const char *crit, size_t critlen, const char *proto,
b40826
 
b40826
 	  if (serv_resp.s_aliases_cnt > 0)
b40826
 	    {
b40826
-	      aliases_len = alloca (serv_resp.s_aliases_cnt
b40826
-				    * sizeof (uint32_t));
b40826
+	      assert (alloca_aliases_len == 0);
b40826
+	      alloca_aliases_len
b40826
+		= __libc_use_alloca (alloca_used
b40826
+				     + (serv_resp.s_aliases_cnt
b40826
+					* sizeof (uint32_t)));
b40826
+	      if (alloca_aliases_len)
b40826
+		aliases_len = alloca (serv_resp.s_aliases_cnt
b40826
+				      * sizeof (uint32_t));
b40826
+	      else
b40826
+		{
b40826
+		  aliases_len = malloc (serv_resp.s_aliases_cnt
b40826
+					* sizeof (uint32_t));
b40826
+		  if (aliases_len == NULL)
b40826
+		    {
b40826
+		      retval = ENOMEM;
b40826
+		      goto out_close;
b40826
+		    }
b40826
+		}
b40826
 	      vec[n].iov_base = (void *) aliases_len;
b40826
 	      vec[n].iov_len = serv_resp.s_aliases_cnt * sizeof (uint32_t);
b40826
 
b40826
@@ -329,5 +371,10 @@ nscd_getserv_r (const char *crit, size_t critlen, const char *proto,
b40826
 	goto retry;
b40826
     }
b40826
 
b40826
+  if (!alloca_aliases_len)
b40826
+    free ((void *) aliases_len);
b40826
+  if (!alloca_key)
b40826
+    free (key);
b40826
+
b40826
   return retval;
b40826
 }
b40826
diff --git a/posix/glob.c b/posix/glob.c
b40826
index 6df083a..79b6e50 100644
b40826
--- a/posix/glob.c
b40826
+++ b/posix/glob.c
b40826
@@ -1,4 +1,4 @@
b40826
-/* Copyright (C) 1991-2002, 2003, 2004, 2005, 2006, 2007, 2008, 2010
b40826
+/* Copyright (C) 1991-2002, 2003, 2004, 2005, 2006, 2007, 2008, 2010, 2011
b40826
    Free Software Foundation, Inc.
b40826
    This file is part of the GNU C Library.
b40826
 
b40826
@@ -199,7 +199,7 @@ static const char *next_brace_sub (const char *begin, int flags) __THROW;
b40826
 
b40826
 static int glob_in_dir (const char *pattern, const char *directory,
b40826
 			int flags, int (*errfunc) (const char *, int),
b40826
-			glob_t *pglob);
b40826
+			glob_t *pglob, size_t alloca_used);
b40826
 extern int __glob_pattern_type (const char *pattern, int quote)
b40826
     attribute_hidden;
b40826
 
b40826
@@ -253,13 +253,18 @@ glob (pattern, flags, errfunc, pglob)
b40826
      glob_t *pglob;
b40826
 {
b40826
   const char *filename;
b40826
-  const char *dirname;
b40826
+  char *dirname = NULL;
b40826
   size_t dirlen;
b40826
   int status;
b40826
   size_t oldcount;
b40826
   int meta;
b40826
   int dirname_modified;
b40826
+  int malloc_dirname = 0;
b40826
   glob_t dirs;
b40826
+  int retval = 0;
b40826
+#ifdef _LIBC
b40826
+  size_t alloca_used = 0;
b40826
+#endif
b40826
 
b40826
   if (pattern == NULL || pglob == NULL || (flags & ~__GLOB_FLAGS) != 0)
b40826
     {
b40826
@@ -308,20 +313,26 @@ glob (pattern, flags, errfunc, pglob)
b40826
 	  const char *next;
b40826
 	  const char *rest;
b40826
 	  size_t rest_len;
b40826
-#ifdef __GNUC__
b40826
-	  char onealt[strlen (pattern) - 1];
b40826
-#else
b40826
-	  char *onealt = (char *) malloc (strlen (pattern) - 1);
b40826
-	  if (onealt == NULL)
b40826
+	  char *onealt;
b40826
+	  size_t pattern_len = strlen (pattern) - 1;
b40826
+#ifdef _LIBC
b40826
+	  int alloca_onealt = __libc_use_alloca (alloca_used + pattern_len);
b40826
+	  if (alloca_onealt)
b40826
+	    onealt = alloca_account (pattern_len, alloca_used);
b40826
+	  else
b40826
+#endif
b40826
 	    {
b40826
-	      if (!(flags & GLOB_APPEND))
b40826
+	      onealt = (char *) malloc (pattern_len);
b40826
+	      if (onealt == NULL)
b40826
 		{
b40826
-		  pglob->gl_pathc = 0;
b40826
-		  pglob->gl_pathv = NULL;
b40826
+		  if (!(flags & GLOB_APPEND))
b40826
+		    {
b40826
+		      pglob->gl_pathc = 0;
b40826
+		      pglob->gl_pathv = NULL;
b40826
+		    }
b40826
+		  return GLOB_NOSPACE;
b40826
 		}
b40826
-	      return GLOB_NOSPACE;
b40826
 	    }
b40826
-#endif
b40826
 
b40826
 	  /* We know the prefix for all sub-patterns.  */
b40826
 	  alt_start = mempcpy (onealt, pattern, begin - pattern);
b40826
@@ -332,9 +343,11 @@ glob (pattern, flags, errfunc, pglob)
b40826
 	  if (next == NULL)
b40826
 	    {
b40826
 	      /* It is an illegal expression.  */
b40826
-#ifndef __GNUC__
b40826
-	      free (onealt);
b40826
+	    illegal_brace:
b40826
+#ifdef _LIBC
b40826
+	      if (__builtin_expect (!alloca_onealt, 0))
b40826
 #endif
b40826
+		free (onealt);
b40826
 	      return glob (pattern, flags & ~GLOB_BRACE, errfunc, pglob);
b40826
 	    }
b40826
 
b40826
@@ -344,13 +357,8 @@ glob (pattern, flags, errfunc, pglob)
b40826
 	    {
b40826
 	      rest = next_brace_sub (rest + 1, flags);
b40826
 	      if (rest == NULL)
b40826
-		{
b40826
-		  /* It is an illegal expression.  */
b40826
-#ifndef __GNUC__
b40826
-		  free (onealt);
b40826
-#endif
b40826
-		  return glob (pattern, flags & ~GLOB_BRACE, errfunc, pglob);
b40826
-		}
b40826
+		/* It is an illegal expression.  */
b40826
+		goto illegal_brace;
b40826
 	    }
b40826
 	  /* Please note that we now can be sure the brace expression
b40826
 	     is well-formed.  */
b40826
@@ -386,9 +394,10 @@ glob (pattern, flags, errfunc, pglob)
b40826
 	      /* If we got an error, return it.  */
b40826
 	      if (result && result != GLOB_NOMATCH)
b40826
 		{
b40826
-#ifndef __GNUC__
b40826
-		  free (onealt);
b40826
+#ifdef _LIBC
b40826
+		  if (__builtin_expect (!alloca_onealt, 0))
b40826
 #endif
b40826
+		    free (onealt);
b40826
 		  if (!(flags & GLOB_APPEND))
b40826
 		    {
b40826
 		      globfree (pglob);
b40826
@@ -406,9 +415,10 @@ glob (pattern, flags, errfunc, pglob)
b40826
 	      assert (next != NULL);
b40826
 	    }
b40826
 
b40826
-#ifndef __GNUC__
b40826
-	  free (onealt);
b40826
+#ifdef _LIBC
b40826
+	  if (__builtin_expect (!alloca_onealt, 0))
b40826
 #endif
b40826
+	    free (onealt);
b40826
 
b40826
 	  if (pglob->gl_pathc != firstc)
b40826
 	    /* We found some entries.  */
b40826
@@ -455,7 +465,7 @@ glob (pattern, flags, errfunc, pglob)
b40826
 	 case is nothing but a notation for a directory.  */
b40826
       if ((flags & (GLOB_TILDE|GLOB_TILDE_CHECK)) && pattern[0] == '~')
b40826
 	{
b40826
-	  dirname = pattern;
b40826
+	  dirname = (char *) pattern;
b40826
 	  dirlen = strlen (pattern);
b40826
 
b40826
 	  /* Set FILENAME to NULL as a special flag.  This is ugly but
b40826
@@ -473,9 +483,9 @@ glob (pattern, flags, errfunc, pglob)
b40826
 
b40826
 	  filename = pattern;
b40826
 #ifdef _AMIGA
b40826
-	  dirname = "";
b40826
+	  dirname = (char *) "";
b40826
 #else
b40826
-	  dirname = ".";
b40826
+	  dirname = (char *) ".";
b40826
 #endif
b40826
 	  dirlen = 0;
b40826
 	}
b40826
@@ -485,7 +495,7 @@ glob (pattern, flags, errfunc, pglob)
b40826
 	       && (flags & GLOB_NOESCAPE) == 0))
b40826
     {
b40826
       /* "/pattern" or "\\/pattern".  */
b40826
-      dirname = "/";
b40826
+      dirname = (char *) "/";
b40826
       dirlen = 1;
b40826
       ++filename;
b40826
     }
b40826
@@ -511,7 +521,17 @@ glob (pattern, flags, errfunc, pglob)
b40826
 	     from "d:/", since "d:" and "d:/" are not the same.*/
b40826
 	}
b40826
 #endif
b40826
-      newp = (char *) __alloca (dirlen + 1);
b40826
+#ifdef _LIBC
b40826
+      if (__libc_use_alloca (alloca_used + dirlen + 1))
b40826
+	newp = alloca_account (dirlen + 1, alloca_used);
b40826
+      else
b40826
+#endif
b40826
+	{
b40826
+	  newp = malloc (dirlen + 1);
b40826
+	  if (newp == NULL)
b40826
+	    return GLOB_NOSPACE;
b40826
+	  malloc_dirname = 1;
b40826
+	}
b40826
       *((char *) mempcpy (newp, pattern, dirlen)) = '\0';
b40826
       dirname = newp;
b40826
       ++filename;
b40826
@@ -551,7 +571,8 @@ glob (pattern, flags, errfunc, pglob)
b40826
 	      oldcount = pglob->gl_pathc + pglob->gl_offs;
b40826
 	      goto no_matches;
b40826
 	    }
b40826
-	  return val;
b40826
+	  retval = val;
b40826
+	  goto out;
b40826
 	}
b40826
     }
b40826
 
b40826
@@ -563,7 +584,8 @@ glob (pattern, flags, errfunc, pglob)
b40826
 	      && (dirname[2] == '\0' || dirname[2] == '/')))
b40826
 	{
b40826
 	  /* Look up home directory.  */
b40826
-	  const char *home_dir = getenv ("HOME");
b40826
+	  char *home_dir = getenv ("HOME");
b40826
+	  int malloc_home_dir = 0;
b40826
 # ifdef _AMIGA
b40826
 	  if (home_dir == NULL || home_dir[0] == '\0')
b40826
 	    home_dir = "SYS:";
b40826
@@ -582,7 +604,7 @@ glob (pattern, flags, errfunc, pglob)
b40826
 		/* `sysconf' does not support _SC_LOGIN_NAME_MAX.  Try
b40826
 		   a moderate value.  */
b40826
 		buflen = 20;
b40826
-	      name = (char *) __alloca (buflen);
b40826
+	      name = alloca_account (buflen, alloca_used);
b40826
 
b40826
 	      success = getlogin_r (name, buflen) == 0;
b40826
 	      if (success)
b40826
@@ -592,6 +614,7 @@ glob (pattern, flags, errfunc, pglob)
b40826
 		  long int pwbuflen = GETPW_R_SIZE_MAX ();
b40826
 		  char *pwtmpbuf;
b40826
 		  struct passwd pwbuf;
b40826
+		  int malloc_pwtmpbuf = 0;
b40826
 		  int save = errno;
b40826
 
b40826
 #    ifndef _LIBC
b40826
@@ -600,7 +623,18 @@ glob (pattern, flags, errfunc, pglob)
b40826
 		       Try a moderate value.  */
b40826
 		    pwbuflen = 1024;
b40826
 #    endif
b40826
-		  pwtmpbuf = (char *) __alloca (pwbuflen);
b40826
+		  if (__libc_use_alloca (alloca_used + pwbuflen))
b40826
+		    pwtmpbuf = alloca_account (pwbuflen, alloca_used);
b40826
+		  else
b40826
+		    {
b40826
+		      pwtmpbuf = malloc (pwbuflen);
b40826
+		      if (pwtmpbuf == NULL)
b40826
+			{
b40826
+			  retval = GLOB_NOSPACE;
b40826
+			  goto out;
b40826
+			}
b40826
+		      malloc_pwtmpbuf = 1;
b40826
+		    }
b40826
 
b40826
 		  while (getpwnam_r (name, &pwbuf, pwtmpbuf, pwbuflen, &p)
b40826
 			 != 0)
b40826
@@ -610,46 +644,115 @@ glob (pattern, flags, errfunc, pglob)
b40826
 			  p = NULL;
b40826
 			  break;
b40826
 			}
b40826
-#    ifdef _LIBC
b40826
-		      pwtmpbuf = extend_alloca (pwtmpbuf, pwbuflen,
b40826
+
b40826
+		      if (!malloc_pwtmpbuf
b40826
+			  && __libc_use_alloca (alloca_used
b40826
+						+ 2 * pwbuflen))
b40826
+			pwtmpbuf = extend_alloca_account (pwtmpbuf, pwbuflen,
b40826
+							  2 * pwbuflen,
b40826
+							  alloca_used);
b40826
+		      else
b40826
+			{
b40826
+			  char *newp = realloc (malloc_pwtmpbuf
b40826
+						? pwtmpbuf : NULL,
b40826
 						2 * pwbuflen);
b40826
-#    else
b40826
-		      pwbuflen *= 2;
b40826
-		      pwtmpbuf = (char *) __alloca (pwbuflen);
b40826
-#    endif
b40826
+			  if (newp == NULL)
b40826
+			    {
b40826
+			      if (__builtin_expect (malloc_pwtmpbuf, 0))
b40826
+				free (pwtmpbuf);
b40826
+			      retval = GLOB_NOSPACE;
b40826
+			      goto out;
b40826
+			    }
b40826
+			  pwtmpbuf = newp;
b40826
+			  pwbuflen = 2 * pwbuflen;
b40826
+			  malloc_pwtmpbuf = 1;
b40826
+			}
b40826
 		      __set_errno (save);
b40826
 		    }
b40826
 #   else
b40826
 		  p = getpwnam (name);
b40826
 #   endif
b40826
 		  if (p != NULL)
b40826
-		    home_dir = p->pw_dir;
b40826
+		    {
b40826
+		      if (!malloc_pwtmpbuf)
b40826
+			home_dir = p->pw_dir;
b40826
+		      else
b40826
+			{
b40826
+			  size_t home_dir_len = strlen (p->pw_dir) + 1;
b40826
+			  if (__libc_use_alloca (alloca_used + home_dir_len))
b40826
+			    home_dir = alloca_account (home_dir_len,
b40826
+						       alloca_used);
b40826
+			  else
b40826
+			    {
b40826
+			      home_dir = malloc (home_dir_len);
b40826
+			      if (home_dir == NULL)
b40826
+				{
b40826
+				  free (pwtmpbuf);
b40826
+				  retval = GLOB_NOSPACE;
b40826
+				  goto out;
b40826
+				}
b40826
+			      malloc_home_dir = 1;
b40826
+			    }
b40826
+			  memcpy (home_dir, p->pw_dir, home_dir_len);
b40826
+
b40826
+			  free (pwtmpbuf);
b40826
+			}
b40826
+		    }
b40826
 		}
b40826
 	    }
b40826
 	  if (home_dir == NULL || home_dir[0] == '\0')
b40826
 	    {
b40826
 	      if (flags & GLOB_TILDE_CHECK)
b40826
-		return GLOB_NOMATCH;
b40826
+		{
b40826
+		  if (__builtin_expect (malloc_home_dir, 0))
b40826
+		    free (home_dir);
b40826
+		  retval = GLOB_NOMATCH;
b40826
+		  goto out;
b40826
+		}
b40826
 	      else
b40826
-		home_dir = "~"; /* No luck.  */
b40826
+		home_dir = (char *) "~"; /* No luck.  */
b40826
 	    }
b40826
 #  endif /* WINDOWS32 */
b40826
 # endif
b40826
 	  /* Now construct the full directory.  */
b40826
 	  if (dirname[1] == '\0')
b40826
 	    {
b40826
+	      if (__builtin_expect (malloc_dirname, 0))
b40826
+		free (dirname);
b40826
+
b40826
 	      dirname = home_dir;
b40826
 	      dirlen = strlen (dirname);
b40826
+	      malloc_dirname = malloc_home_dir;
b40826
 	    }
b40826
 	  else
b40826
 	    {
b40826
 	      char *newp;
b40826
 	      size_t home_len = strlen (home_dir);
b40826
-	      newp = (char *) __alloca (home_len + dirlen);
b40826
+	      int use_alloca = __libc_use_alloca (alloca_used
b40826
+						  + home_len + dirlen);
b40826
+	      if (use_alloca)
b40826
+		newp = alloca_account (home_len + dirlen, alloca_used);
b40826
+	      else
b40826
+		{
b40826
+		  newp = malloc (home_len + dirlen);
b40826
+		  if (newp == NULL)
b40826
+		    {
b40826
+		      if (__builtin_expect (malloc_home_dir, 0))
b40826
+			free (home_dir);
b40826
+		      retval = GLOB_NOSPACE;
b40826
+		      goto out;
b40826
+		    }
b40826
+		}
b40826
+
b40826
 	      mempcpy (mempcpy (newp, home_dir, home_len),
b40826
 		       &dirname[1], dirlen);
b40826
+
b40826
+	      if (__builtin_expect (malloc_dirname, 0))
b40826
+		free (dirname);
b40826
+
b40826
 	      dirname = newp;
b40826
 	      dirlen += home_len - 1;
b40826
+	      malloc_dirname = !use_alloca;
b40826
 	    }
b40826
 	  dirname_modified = 1;
b40826
 	}
b40826
@@ -657,7 +760,8 @@ glob (pattern, flags, errfunc, pglob)
b40826
       else
b40826
 	{
b40826
 	  char *end_name = strchr (dirname, '/');
b40826
-	  const char *user_name;
b40826
+	  char *user_name;
b40826
+	  int malloc_user_name = 0;
b40826
 	  const char *home_dir;
b40826
 	  char *unescape = NULL;
b40826
 
b40826
@@ -677,7 +781,18 @@ glob (pattern, flags, errfunc, pglob)
b40826
 	  else
b40826
 	    {
b40826
 	      char *newp;
b40826
-	      newp = (char *) __alloca (end_name - dirname);
b40826
+	      if (__libc_use_alloca (alloca_used + (end_name - dirname)))
b40826
+		newp = alloca_account (end_name - dirname, alloca_used);
b40826
+	      else
b40826
+		{
b40826
+		  newp = malloc (end_name - dirname);
b40826
+		  if (newp == NULL)
b40826
+		    {
b40826
+		      retval = GLOB_NOSPACE;
b40826
+		      goto out;
b40826
+		    }
b40826
+		  malloc_user_name = 1;
b40826
+		}
b40826
 	      if (unescape != NULL)
b40826
 		{
b40826
 		  char *p = mempcpy (newp, dirname + 1,
b40826
@@ -714,6 +829,7 @@ glob (pattern, flags, errfunc, pglob)
b40826
 #  if defined HAVE_GETPWNAM_R || defined _LIBC
b40826
 	    long int buflen = GETPW_R_SIZE_MAX ();
b40826
 	    char *pwtmpbuf;
b40826
+	    int malloc_pwtmpbuf = 0;
b40826
 	    struct passwd pwbuf;
b40826
 	    int save = errno;
b40826
 
b40826
@@ -723,7 +839,21 @@ glob (pattern, flags, errfunc, pglob)
b40826
 		 moderate value.  */
b40826
 	      buflen = 1024;
b40826
 #   endif
b40826
-	    pwtmpbuf = (char *) __alloca (buflen);
b40826
+	    if (__libc_use_alloca (alloca_used + buflen))
b40826
+	      pwtmpbuf = alloca_account (buflen, alloca_used);
b40826
+	    else
b40826
+	      {
b40826
+		pwtmpbuf = malloc (buflen);
b40826
+		if (pwtmpbuf == NULL)
b40826
+		  {
b40826
+		  nomem_getpw:
b40826
+		    if (__builtin_expect (malloc_user_name, 0))
b40826
+		      free (user_name);
b40826
+		    retval = GLOB_NOSPACE;
b40826
+		    goto out;
b40826
+		  }
b40826
+		malloc_pwtmpbuf = 1;
b40826
+	      }
b40826
 
b40826
 	    while (getpwnam_r (user_name, &pwbuf, pwtmpbuf, buflen, &p) != 0)
b40826
 	      {
b40826
@@ -732,40 +862,77 @@ glob (pattern, flags, errfunc, pglob)
b40826
 		    p = NULL;
b40826
 		    break;
b40826
 		  }
b40826
-#   ifdef _LIBC
b40826
-		pwtmpbuf = extend_alloca (pwtmpbuf, buflen, 2 * buflen);
b40826
-#   else
b40826
-		buflen *= 2;
b40826
-		pwtmpbuf = __alloca (buflen);
b40826
-#   endif
b40826
+		if (!malloc_pwtmpbuf
b40826
+		    && __libc_use_alloca (alloca_used + 2 * buflen))
b40826
+		  pwtmpbuf = extend_alloca_account (pwtmpbuf, buflen,
b40826
+						    2 * buflen, alloca_used);
b40826
+		else
b40826
+		  {
b40826
+		    char *newp = realloc (malloc_pwtmpbuf ? pwtmpbuf : NULL,
b40826
+					  2 * buflen);
b40826
+		    if (newp == NULL)
b40826
+		      {
b40826
+			if (__builtin_expect (malloc_pwtmpbuf, 0))
b40826
+			  free (pwtmpbuf);
b40826
+			goto nomem_getpw;
b40826
+		      }
b40826
+		    pwtmpbuf = newp;
b40826
+		    malloc_pwtmpbuf = 1;
b40826
+		  }
b40826
 		__set_errno (save);
b40826
 	      }
b40826
 #  else
b40826
 	    p = getpwnam (user_name);
b40826
 #  endif
b40826
+
b40826
+	    if (__builtin_expect (malloc_user_name, 0))
b40826
+	      free (user_name);
b40826
+
b40826
+	    /* If we found a home directory use this.  */
b40826
 	    if (p != NULL)
b40826
-	      home_dir = p->pw_dir;
b40826
+	      {
b40826
+		size_t home_len = strlen (p->pw_dir);
b40826
+		size_t rest_len = end_name == NULL ? 0 : strlen (end_name);
b40826
+
b40826
+		if (__builtin_expect (malloc_dirname, 0))
b40826
+		  free (dirname);
b40826
+		malloc_dirname = 0;
b40826
+
b40826
+		if (__libc_use_alloca (alloca_used + home_len + rest_len + 1))
b40826
+		  dirname = alloca_account (home_len + rest_len + 1,
b40826
+					    alloca_used);
b40826
+		else
b40826
+		  {
b40826
+		    dirname = malloc (home_len + rest_len + 1);
b40826
+		    if (dirname == NULL)
b40826
+		      {
b40826
+			if (__builtin_expect (malloc_pwtmpbuf, 0))
b40826
+			  free (pwtmpbuf);
b40826
+			retval = GLOB_NOSPACE;
b40826
+			goto out;
b40826
+		      }
b40826
+		    malloc_dirname = 1;
b40826
+		  }
b40826
+		*((char *) mempcpy (mempcpy (dirname, p->pw_dir, home_len),
b40826
+				    end_name, rest_len)) = '\0';
b40826
+
b40826
+		dirlen = home_len + rest_len;
b40826
+		dirname_modified = 1;
b40826
+
b40826
+		if (__builtin_expect (malloc_pwtmpbuf, 0))
b40826
+		  free (pwtmpbuf);
b40826
+	      }
b40826
 	    else
b40826
-	      home_dir = NULL;
b40826
+	      {
b40826
+		if (__builtin_expect (malloc_pwtmpbuf, 0))
b40826
+		  free (pwtmpbuf);
b40826
+
b40826
+		if (flags & GLOB_TILDE_CHECK)
b40826
+		  /* We have to regard it as an error if we cannot find the
b40826
+		     home directory.  */
b40826
+		  return GLOB_NOMATCH;
b40826
+	      }
b40826
 	  }
b40826
-	  /* If we found a home directory use this.  */
b40826
-	  if (home_dir != NULL)
b40826
-	    {
b40826
-	      char *newp;
b40826
-	      size_t home_len = strlen (home_dir);
b40826
-	      size_t rest_len = end_name == NULL ? 0 : strlen (end_name);
b40826
-	      newp = (char *) __alloca (home_len + rest_len + 1);
b40826
-	      *((char *) mempcpy (mempcpy (newp, home_dir, home_len),
b40826
-				  end_name, rest_len)) = '\0';
b40826
-	      dirname = newp;
b40826
-	      dirlen = home_len + rest_len;
b40826
-	      dirname_modified = 1;
b40826
-	    }
b40826
-	  else
b40826
-	    if (flags & GLOB_TILDE_CHECK)
b40826
-	      /* We have to regard it as an error if we cannot find the
b40826
-		 home directory.  */
b40826
-	      return GLOB_NOMATCH;
b40826
 	}
b40826
 # endif	/* Not Amiga && not WINDOWS32.  */
b40826
     }
b40826
@@ -899,7 +1066,7 @@ glob (pattern, flags, errfunc, pglob)
b40826
 	  status = glob_in_dir (filename, dirs.gl_pathv[i],
b40826
 				((flags | GLOB_APPEND)
b40826
 				 & ~(GLOB_NOCHECK | GLOB_NOMAGIC)),
b40826
-				errfunc, pglob);
b40826
+				errfunc, pglob, alloca_used);
b40826
 	  if (status == GLOB_NOMATCH)
b40826
 	    /* No matches in this directory.  Try the next.  */
b40826
 	    continue;
b40826
@@ -1000,7 +1167,8 @@ glob (pattern, flags, errfunc, pglob)
b40826
 	}
b40826
       if (dirname_modified)
b40826
 	flags &= ~(GLOB_NOCHECK | GLOB_NOMAGIC);
b40826
-      status = glob_in_dir (filename, dirname, flags, errfunc, pglob);
b40826
+      status = glob_in_dir (filename, dirname, flags, errfunc, pglob,
b40826
+			    alloca_used);
b40826
       if (status != 0)
b40826
 	{
b40826
 	  if (status == GLOB_NOMATCH && flags != orig_flags
b40826
@@ -1063,7 +1231,11 @@ glob (pattern, flags, errfunc, pglob)
b40826
 	     sizeof (char *), collated_compare);
b40826
     }
b40826
 
b40826
-  return 0;
b40826
+ out:
b40826
+  if (__builtin_expect (malloc_dirname, 0))
b40826
+    free (dirname);
b40826
+
b40826
+  return retval;
b40826
 }
b40826
 #if defined _LIBC && !defined glob
b40826
 libc_hidden_def (glob)
b40826
@@ -1273,7 +1445,7 @@ link_exists2_p (const char *dir, size_t dirlen, const char *fname,
b40826
 static int
b40826
 glob_in_dir (const char *pattern, const char *directory, int flags,
b40826
 	     int (*errfunc) (const char *, int),
b40826
-	     glob_t *pglob)
b40826
+	     glob_t *pglob, size_t alloca_used)
b40826
 {
b40826
   size_t dirlen = strlen (directory);
b40826
   void *stream = NULL;
b40826
@@ -1288,11 +1460,12 @@ glob_in_dir (const char *pattern, const char *directory, int flags,
b40826
   struct globnames *names = &init_names;
b40826
   struct globnames *names_alloca = &init_names;
b40826
   size_t nfound = 0;
b40826
-  size_t allocasize = sizeof (init_names);
b40826
   size_t cur = 0;
b40826
   int meta;
b40826
   int save;
b40826
 
b40826
+  alloca_used += sizeof (init_names);
b40826
+
b40826
   init_names.next = NULL;
b40826
   init_names.count = INITIAL_COUNT;
b40826
 
b40826
@@ -1308,20 +1481,36 @@ glob_in_dir (const char *pattern, const char *directory, int flags,
b40826
     {
b40826
       /* Since we use the normal file functions we can also use stat()
b40826
 	 to verify the file is there.  */
b40826
-      struct stat st;
b40826
-      struct_stat64 st64;
b40826
+      union
b40826
+      {
b40826
+	struct stat st;
b40826
+	struct_stat64 st64;
b40826
+      } ust;
b40826
       size_t patlen = strlen (pattern);
b40826
-      char *fullname = (char *) __alloca (dirlen + 1 + patlen + 1);
b40826
+      int alloca_fullname = __libc_use_alloca (alloca_used
b40826
+					       + dirlen + 1 + patlen + 1);
b40826
+      char *fullname;
b40826
+      if (alloca_fullname)
b40826
+	fullname = alloca_account (dirlen + 1 + patlen + 1, alloca_used);
b40826
+      else
b40826
+	{
b40826
+	  fullname = malloc (dirlen + 1 + patlen + 1);
b40826
+	  if (fullname == NULL)
b40826
+	    return GLOB_NOSPACE;
b40826
+	}
b40826
 
b40826
       mempcpy (mempcpy (mempcpy (fullname, directory, dirlen),
b40826
 			"/", 1),
b40826
 	       pattern, patlen + 1);
b40826
       if ((__builtin_expect (flags & GLOB_ALTDIRFUNC, 0)
b40826
-	   ? (*pglob->gl_stat) (fullname, &st)
b40826
-	   : __stat64 (fullname, &st64)) == 0)
b40826
+	   ? (*pglob->gl_stat) (fullname, &ust.st)
b40826
+	   : __stat64 (fullname, &ust.st64)) == 0)
b40826
 	/* We found this file to be existing.  Now tell the rest
b40826
 	   of the function to copy this name into the result.  */
b40826
 	flags |= GLOB_NOCHECK;
b40826
+
b40826
+      if (__builtin_expect (!alloca_fullname, 0))
b40826
+	free (fullname);
b40826
     }
b40826
   else
b40826
     {
b40826
@@ -1409,9 +1598,9 @@ glob_in_dir (const char *pattern, const char *directory, int flags,
b40826
 			  size_t size = (sizeof (struct globnames)
b40826
 					 + ((count - INITIAL_COUNT)
b40826
 					    * sizeof (char *)));
b40826
-			  allocasize += size;
b40826
-			  if (__libc_use_alloca (allocasize))
b40826
-			    newnames = names_alloca = __alloca (size);
b40826
+			  if (__libc_use_alloca (alloca_used + size))
b40826
+			    newnames = names_alloca
b40826
+			      = alloca_account (size, alloca_used);
b40826
 			  else if ((newnames = malloc (size))
b40826
 				   == NULL)
b40826
 			    goto memory_error;