From owner-svn-src-stable-9@FreeBSD.ORG  Thu May 23 16:39:43 2013
Return-Path: <owner-svn-src-stable-9@FreeBSD.ORG>
Delivered-To: svn-src-stable-9@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by hub.freebsd.org (Postfix) with ESMTP id BF8B455A;
 Thu, 23 May 2013 16:39:43 +0000 (UTC) (envelope-from pfg@FreeBSD.org)
Received: from svn.freebsd.org (svn.freebsd.org
 [IPv6:2001:1900:2254:2068::e6a:0])
 by mx1.freebsd.org (Postfix) with ESMTP id B15CFF87;
 Thu, 23 May 2013 16:39:43 +0000 (UTC)
Received: from svn.freebsd.org ([127.0.1.70])
 by svn.freebsd.org (8.14.6/8.14.6) with ESMTP id r4NGdhTQ083167;
 Thu, 23 May 2013 16:39:43 GMT (envelope-from pfg@svn.freebsd.org)
Received: (from pfg@localhost)
 by svn.freebsd.org (8.14.6/8.14.5/Submit) id r4NGdhDB083160;
 Thu, 23 May 2013 16:39:43 GMT (envelope-from pfg@svn.freebsd.org)
Message-Id: <201305231639.r4NGdhDB083160@svn.freebsd.org>
From: "Pedro F. Giffuni" <pfg@FreeBSD.org>
Date: Thu, 23 May 2013 16:39:43 +0000 (UTC)
To: src-committers@freebsd.org, svn-src-all@freebsd.org,
 svn-src-stable@freebsd.org, svn-src-stable-9@freebsd.org
Subject: svn commit: r250937 - stable/9/gnu/usr.bin/grep
X-SVN-Group: stable-9
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-BeenThere: svn-src-stable-9@freebsd.org
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: SVN commit messages for only the 9-stable src tree
 <svn-src-stable-9.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/svn-src-stable-9>, 
 <mailto:svn-src-stable-9-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-stable-9>
List-Post: <mailto:svn-src-stable-9@freebsd.org>
List-Help: <mailto:svn-src-stable-9-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/svn-src-stable-9>, 
 <mailto:svn-src-stable-9-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 23 May 2013 16:39:43 -0000

Author: pfg
Date: Thu May 23 16:39:42 2013
New Revision: 250937
URL: http://svnweb.freebsd.org/changeset/base/250937

Log:
  MFC	r250823:
  
  grep: change some int types.
  
  Change several int variables to size_t, ssize_t, or ptrdiff_t.
  This should fix the bug described in CVE-2012-5667 when an input
  line is so long that its length cannot be stored in an int
  variable.
  
  Obtained from:	NetBSD

Modified:
  stable/9/gnu/usr.bin/grep/dfa.c
  stable/9/gnu/usr.bin/grep/grep.c
  stable/9/gnu/usr.bin/grep/search.c
Directory Properties:
  stable/9/   (props changed)

Modified: stable/9/gnu/usr.bin/grep/dfa.c
==============================================================================
--- stable/9/gnu/usr.bin/grep/dfa.c	Thu May 23 16:37:43 2013	(r250936)
+++ stable/9/gnu/usr.bin/grep/dfa.c	Thu May 23 16:39:42 2013	(r250937)
@@ -334,9 +334,10 @@ static int hard_LC_COLLATE;	/* Nonzero i
 #ifdef MBS_SUPPORT
 /* These variables are used only if (MB_CUR_MAX > 1).  */
 static mbstate_t mbs;		/* Mbstate for mbrlen().  */
-static int cur_mb_len;		/* Byte length of the current scanning
-				   multibyte character.  */
-static int cur_mb_index;        /* Byte index of the current scanning multibyte
+static ssize_t cur_mb_len;	/* Byte length of the current scanning
+				   multibyte character.  Must also handle
+				   negative result from mbrlen().  */
+static ssize_t cur_mb_index;	/* Byte index of the current scanning multibyte
                                    character.
 
 				   singlebyte character : cur_mb_index = 0
@@ -369,7 +370,7 @@ static unsigned char const *buf_end;	/* 
 /* This function update cur_mb_len, and cur_mb_index.
    p points current lexptr, len is the remaining buffer length.  */
 static void
-update_mb_len_index (unsigned char const *p, int len)
+update_mb_len_index (unsigned char const *p, size_t len)
 {
   /* If last character is a part of a multibyte character,
      we update cur_mb_index.  */
@@ -2463,7 +2464,7 @@ match_mb_charset (struct dfa *d, int s, 
   int match;		/* Flag which represent that matching succeed.  */
   int match_len;	/* Length of the character (or collating element)
 			   with which this operator match.  */
-  int op_len;		/* Length of the operator.  */
+  size_t op_len;	/* Length of the operator.  */
   char buffer[128];
   wchar_t wcbuf[6];
 

Modified: stable/9/gnu/usr.bin/grep/grep.c
==============================================================================
--- stable/9/gnu/usr.bin/grep/grep.c	Thu May 23 16:37:43 2013	(r250936)
+++ stable/9/gnu/usr.bin/grep/grep.c	Thu May 23 16:39:42 2013	(r250937)
@@ -1346,9 +1346,9 @@ int
 main (int argc, char **argv)
 {
   char *keys;
-  size_t keycc, oldcc, keyalloc;
+  size_t cc, keycc, oldcc, keyalloc;
   int with_filenames;
-  int opt, cc, status;
+  int opt, status;
   int default_context;
   FILE *fp;
   extern char *optarg;

Modified: stable/9/gnu/usr.bin/grep/search.c
==============================================================================
--- stable/9/gnu/usr.bin/grep/search.c	Thu May 23 16:37:43 2013	(r250936)
+++ stable/9/gnu/usr.bin/grep/search.c	Thu May 23 16:39:42 2013	(r250937)
@@ -112,7 +112,7 @@ static void
 kwsinit (void)
 {
   static char trans[NCHAR];
-  int i;
+  size_t i;
 
   if (match_icase)
     for (i = 0; i < NCHAR; ++i)
@@ -326,7 +326,8 @@ EGexecute (char const *buf, size_t size,
 {
   register char const *buflim, *beg, *end;
   char eol = eolbyte;
-  int backref, start, len;
+  int backref;
+  ptrdiff_t start, len;
   struct kwsmatch kwsm;
   size_t i, ret_val;
   static int use_dfa;