# N03 — NewFilePlugin: unchecked malloc/calloc throughout helpers Bug ref : pharo-12 only Severity : MEDIUM (NULL deref on every alloc failure path; image-driven) Files : plugins/NewFilePlugin/src/unix/UnixFile.c plugins/NewFilePlugin/src/win/Win32File.c Lines (HEAD) : unix: 17-24, 52, 156; win: 38, 53, 72, 91 ## Problem Every helper that allocates memory dereferences the result without checking for NULL. ```c /* UnixFile.c:17-24 */ static char * makeCStringWithFixedString(const char *string, size_t stringSize) { char *cstring = malloc(stringSize + 1); // not checked memcpy(cstring, string, stringSize); cstring[stringSize] = 0; return cstring; } ``` `makeCStringWithFixedString` is called from every primitive that opens, creates, or deletes a file or directory. Every one of them SEGVs on OOM. Similarly: - `UnixFile.c:52` calloc of `NewDirectory_t` unchecked - `UnixFile.c:156` calloc of `NewFile_t` unchecked - `Win32File.c:38` calloc of WCHAR* unchecked - `Win32File.c:53` calloc inside `NewFile_wideCharToUtf8` unchecked - `Win32File.c:72` calloc of `stringWithPrefix` unchecked - `Win32File.c:91` calloc of `pathWithWildCard` unchecked ## Fix Add NULL checks at each allocation site and propagate the failure to the caller (most of these functions already have a NULL return path). ```diff diff --git a/plugins/NewFilePlugin/src/unix/UnixFile.c b/plugins/NewFilePlugin/src/unix/UnixFile.c index bb7a747b0..7290d041b 100644 --- a/plugins/NewFilePlugin/src/unix/UnixFile.c +++ b/plugins/NewFilePlugin/src/unix/UnixFile.c @@ -18,6 +18,7 @@ static char * makeCStringWithFixedString(const char *string, size_t stringSize) { char *cstring = malloc(stringSize + 1); + if (!cstring) return NULL; memcpy(cstring, string, stringSize); cstring[stringSize] = 0; return cstring; ``` Every caller of `makeCStringWithFixedString` then needs to handle a NULL return; on this branch they all already free a possibly-NULL pointer (`free(NULL)` is a no-op) and pass it to a syscall — which will fail safely if NULL. The only required additional change is to treat NULL from this helper as a failure for the primitive. Similar guards for `NewDirectory_open` (calloc of NewDirectory_t), and for each Win32 helper that calls `calloc` or `malloc`. ## Test plan - Under an OOM injection (malloc shim returning NULL after N calls), every primitive in the NewFilePlugin returns cleanly instead of crashing. - Normal calls: unchanged. ## Risk notes - This PR shows only the smallest representative fix; the full set of unchecked allocations is enumerated above and should be patched together. - A full fix is mechanical but spans both files. Land in one PR or split per allocation site.