From owner-svn-src-all@FreeBSD.ORG  Sat Jul  5 21:50:59 2014
Return-Path: <owner-svn-src-all@FreeBSD.ORG>
Delivered-To: svn-src-all@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id E0D3BDB;
 Sat,  5 Jul 2014 21:50:59 +0000 (UTC)
Received: from svn.freebsd.org (svn.freebsd.org
 [IPv6:2001:1900:2254:2068::e6a:0])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id CE14E211D;
 Sat,  5 Jul 2014 21:50:59 +0000 (UTC)
Received: from svn.freebsd.org ([127.0.1.70])
 by svn.freebsd.org (8.14.8/8.14.8) with ESMTP id s65LoxOJ091254;
 Sat, 5 Jul 2014 21:50:59 GMT (envelope-from jilles@svn.freebsd.org)
Received: (from jilles@localhost)
 by svn.freebsd.org (8.14.8/8.14.8/Submit) id s65LoxMR091253;
 Sat, 5 Jul 2014 21:50:59 GMT (envelope-from jilles@svn.freebsd.org)
Message-Id: <201407052150.s65LoxMR091253@svn.freebsd.org>
From: Jilles Tjoelker <jilles@FreeBSD.org>
Date: Sat, 5 Jul 2014 21:50:59 +0000 (UTC)
To: src-committers@freebsd.org, svn-src-all@freebsd.org,
 svn-src-head@freebsd.org
Subject: svn commit: r268304 - head/bin/sh
X-SVN-Group: head
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-BeenThere: svn-src-all@freebsd.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: "SVN commit messages for the entire src tree \(except for &quot;
 user&quot; and &quot; projects&quot; \)" <svn-src-all.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/svn-src-all>,
 <mailto:svn-src-all-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-all/>
List-Post: <mailto:svn-src-all@freebsd.org>
List-Help: <mailto:svn-src-all-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/svn-src-all>,
 <mailto:svn-src-all-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 05 Jul 2014 21:51:00 -0000

Author: jilles
Date: Sat Jul  5 21:50:59 2014
New Revision: 268304
URL: http://svnweb.freebsd.org/changeset/base/268304

Log:
  sh: Fix overflow checking on 'ulimit' operand.

Modified:
  head/bin/sh/miscbltin.c

Modified: head/bin/sh/miscbltin.c
==============================================================================
--- head/bin/sh/miscbltin.c	Sat Jul  5 21:34:37 2014	(r268303)
+++ head/bin/sh/miscbltin.c	Sat Jul  5 21:50:59 2014	(r268304)
@@ -414,7 +414,6 @@ static const struct limits limits[] = {
 int
 ulimitcmd(int argc __unused, char **argv __unused)
 {
-	int	c;
 	rlim_t val = 0;
 	enum { SOFT = 0x1, HARD = 0x2 }
 			how = SOFT | HARD;
@@ -453,17 +452,22 @@ ulimitcmd(int argc __unused, char **argv
 		if (strcmp(p, "unlimited") == 0)
 			val = RLIM_INFINITY;
 		else {
-			val = 0;
+			char *end;
+			uintmax_t uval;
 
-			while ((c = *p++) >= '0' && c <= '9')
-			{
-				val = (val * 10) + (long)(c - '0');
-				if (val < 0)
-					break;
-			}
-			if (c)
+			if (*p < '0' || *p > '9')
+				error("bad number");
+			errno = 0;
+			uval = strtoumax(p, &end, 10);
+			if (errno != 0 || *end != '\0')
+				error("bad number");
+			if (uval > UINTMAX_MAX / l->factor)
+				error("bad number");
+			uval *= l->factor;
+			val = (rlim_t)uval;
+			if (val < 0 || (uintmax_t)val != uval ||
+			    val == RLIM_INFINITY)
 				error("bad number");
-			val *= l->factor;
 		}
 	}
 	if (all) {