From owner-svn-src-user@FreeBSD.ORG Tue Sep 2 14:08:28 2014 Return-Path: Delivered-To: svn-src-user@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 68CA5A32; Tue, 2 Sep 2014 14:08:28 +0000 (UTC) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:1900:2254:2068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 524FC1BBE; Tue, 2 Sep 2014 14:08:28 +0000 (UTC) Received: from svn.freebsd.org ([127.0.1.70]) by svn.freebsd.org (8.14.9/8.14.9) with ESMTP id s82E8Spw053013; Tue, 2 Sep 2014 14:08:28 GMT (envelope-from delphij@FreeBSD.org) Received: (from delphij@localhost) by svn.freebsd.org (8.14.9/8.14.9/Submit) id s82E8RpP053008; Tue, 2 Sep 2014 14:08:27 GMT (envelope-from delphij@FreeBSD.org) Message-Id: <201409021408.s82E8RpP053008@svn.freebsd.org> X-Authentication-Warning: svn.freebsd.org: delphij set sender to delphij@FreeBSD.org using -f From: Xin LI Date: Tue, 2 Sep 2014 14:08:27 +0000 (UTC) To: src-committers@freebsd.org, svn-src-user@freebsd.org Subject: svn commit: r270965 - in user/cperciva/freebsd-update-build/patches: 10.0-RELEASE 8.4-RELEASE 9.1-RELEASE 9.2-RELEASE X-SVN-Group: user MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-user@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "SVN commit messages for the experimental " user" src tree" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 02 Sep 2014 14:08:28 -0000 Author: delphij Date: Tue Sep 2 14:08:27 2014 New Revision: 270965 URL: http://svnweb.freebsd.org/changeset/base/270965 Log: Add patches for 2014-07-08 batch. Added: user/cperciva/freebsd-update-build/patches/10.0-RELEASE/7-SA-14:17.kmem user/cperciva/freebsd-update-build/patches/8.4-RELEASE/13-EN-14:09.jail user/cperciva/freebsd-update-build/patches/8.4-RELEASE/13-SA-14:17.kmem user/cperciva/freebsd-update-build/patches/9.1-RELEASE/17-SA-14:17.kmem user/cperciva/freebsd-update-build/patches/9.2-RELEASE/10-SA-14:17.kmem Added: user/cperciva/freebsd-update-build/patches/10.0-RELEASE/7-SA-14:17.kmem ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ user/cperciva/freebsd-update-build/patches/10.0-RELEASE/7-SA-14:17.kmem Tue Sep 2 14:08:27 2014 (r270965) @@ -0,0 +1,263 @@ +Index: sys/kern/uipc_sockbuf.c +=================================================================== +--- sys/kern/uipc_sockbuf.c (revision 268273) ++++ sys/kern/uipc_sockbuf.c (working copy) +@@ -1071,6 +1071,11 @@ sbcreatecontrol(caddr_t p, int size, int type, int + m->m_len = 0; + KASSERT(CMSG_SPACE((u_int)size) <= M_TRAILINGSPACE(m), + ("sbcreatecontrol: short mbuf")); ++ /* ++ * Don't leave the padding between the msg header and the ++ * cmsg data and the padding after the cmsg data un-initialized. ++ */ ++ bzero(cp, CMSG_SPACE((u_int)size)); + if (p != NULL) + (void)memcpy(CMSG_DATA(cp), p, size); + m->m_len = CMSG_SPACE(size); +Index: sys/netinet/sctp_auth.c +=================================================================== +--- sys/netinet/sctp_auth.c (revision 268273) ++++ sys/netinet/sctp_auth.c (working copy) +@@ -1790,6 +1790,7 @@ sctp_notify_authentication(struct sctp_tcb *stcb, + + SCTP_BUF_LEN(m_notify) = 0; + auth = mtod(m_notify, struct sctp_authkey_event *); ++ memset(auth, 0, sizeof(struct sctp_authkey_event)); + auth->auth_type = SCTP_AUTHENTICATION_EVENT; + auth->auth_flags = 0; + auth->auth_length = sizeof(*auth); +Index: sys/netinet/sctp_indata.c +=================================================================== +--- sys/netinet/sctp_indata.c (revision 268273) ++++ sys/netinet/sctp_indata.c (working copy) +@@ -250,6 +250,11 @@ sctp_build_ctl_nchunk(struct sctp_inpcb *inp, stru + + /* We need a CMSG header followed by the struct */ + cmh = mtod(ret, struct cmsghdr *); ++ /* ++ * Make sure that there is no un-initialized padding between the ++ * cmsg header and cmsg data and after the cmsg data. ++ */ ++ memset(cmh, 0, len); + if (sctp_is_feature_on(inp, SCTP_PCB_FLAGS_RECVRCVINFO)) { + cmh->cmsg_level = IPPROTO_SCTP; + cmh->cmsg_len = CMSG_LEN(sizeof(struct sctp_rcvinfo)); +Index: sys/netinet/sctputil.c +=================================================================== +--- sys/netinet/sctputil.c (revision 268273) ++++ sys/netinet/sctputil.c (working copy) +@@ -2622,6 +2622,7 @@ sctp_notify_assoc_change(uint16_t state, struct sc + } + SCTP_BUF_NEXT(m_notify) = NULL; + sac = mtod(m_notify, struct sctp_assoc_change *); ++ memset(sac, 0, notif_len); + sac->sac_type = SCTP_ASSOC_CHANGE; + sac->sac_flags = 0; + sac->sac_length = sizeof(struct sctp_assoc_change); +@@ -2835,11 +2836,10 @@ sctp_notify_send_failed(struct sctp_tcb *stcb, uin + if (m_notify == NULL) + /* no space left */ + return; +- length += chk->send_size; +- length -= sizeof(struct sctp_data_chunk); + SCTP_BUF_LEN(m_notify) = 0; + if (sctp_stcb_is_feature_on(stcb->sctp_ep, stcb, SCTP_PCB_FLAGS_RECVNSENDFAILEVNT)) { + ssfe = mtod(m_notify, struct sctp_send_failed_event *); ++ memset(ssfe, 0, length); + ssfe->ssfe_type = SCTP_SEND_FAILED_EVENT; + if (sent) { + ssfe->ssfe_flags = SCTP_DATA_SENT; +@@ -2846,10 +2846,11 @@ sctp_notify_send_failed(struct sctp_tcb *stcb, uin + } else { + ssfe->ssfe_flags = SCTP_DATA_UNSENT; + } ++ length += chk->send_size; ++ length -= sizeof(struct sctp_data_chunk); + ssfe->ssfe_length = length; + ssfe->ssfe_error = error; + /* not exactly what the user sent in, but should be close :) */ +- bzero(&ssfe->ssfe_info, sizeof(ssfe->ssfe_info)); + ssfe->ssfe_info.snd_sid = chk->rec.data.stream_number; + ssfe->ssfe_info.snd_flags = chk->rec.data.rcv_flags; + ssfe->ssfe_info.snd_ppid = chk->rec.data.payloadtype; +@@ -2859,6 +2860,7 @@ sctp_notify_send_failed(struct sctp_tcb *stcb, uin + SCTP_BUF_LEN(m_notify) = sizeof(struct sctp_send_failed_event); + } else { + ssf = mtod(m_notify, struct sctp_send_failed *); ++ memset(ssf, 0, length); + ssf->ssf_type = SCTP_SEND_FAILED; + if (sent) { + ssf->ssf_flags = SCTP_DATA_SENT; +@@ -2865,6 +2867,8 @@ sctp_notify_send_failed(struct sctp_tcb *stcb, uin + } else { + ssf->ssf_flags = SCTP_DATA_UNSENT; + } ++ length += chk->send_size; ++ length -= sizeof(struct sctp_data_chunk); + ssf->ssf_length = length; + ssf->ssf_error = error; + /* not exactly what the user sent in, but should be close :) */ +@@ -2948,16 +2952,16 @@ sctp_notify_send_failed2(struct sctp_tcb *stcb, ui + /* no space left */ + return; + } +- length += sp->length; + SCTP_BUF_LEN(m_notify) = 0; + if (sctp_stcb_is_feature_on(stcb->sctp_ep, stcb, SCTP_PCB_FLAGS_RECVNSENDFAILEVNT)) { + ssfe = mtod(m_notify, struct sctp_send_failed_event *); ++ memset(ssfe, 0, length); + ssfe->ssfe_type = SCTP_SEND_FAILED_EVENT; + ssfe->ssfe_flags = SCTP_DATA_UNSENT; ++ length += sp->length; + ssfe->ssfe_length = length; + ssfe->ssfe_error = error; + /* not exactly what the user sent in, but should be close :) */ +- bzero(&ssfe->ssfe_info, sizeof(ssfe->ssfe_info)); + ssfe->ssfe_info.snd_sid = sp->stream; + if (sp->some_taken) { + ssfe->ssfe_info.snd_flags = SCTP_DATA_LAST_FRAG; +@@ -2971,12 +2975,13 @@ sctp_notify_send_failed2(struct sctp_tcb *stcb, ui + SCTP_BUF_LEN(m_notify) = sizeof(struct sctp_send_failed_event); + } else { + ssf = mtod(m_notify, struct sctp_send_failed *); ++ memset(ssf, 0, length); + ssf->ssf_type = SCTP_SEND_FAILED; + ssf->ssf_flags = SCTP_DATA_UNSENT; ++ length += sp->length; + ssf->ssf_length = length; + ssf->ssf_error = error; + /* not exactly what the user sent in, but should be close :) */ +- bzero(&ssf->ssf_info, sizeof(ssf->ssf_info)); + ssf->ssf_info.sinfo_stream = sp->stream; + ssf->ssf_info.sinfo_ssn = 0; + if (sp->some_taken) { +@@ -3038,6 +3043,7 @@ sctp_notify_adaptation_layer(struct sctp_tcb *stcb + return; + SCTP_BUF_LEN(m_notify) = 0; + sai = mtod(m_notify, struct sctp_adaptation_event *); ++ memset(sai, 0, sizeof(struct sctp_adaptation_event)); + sai->sai_type = SCTP_ADAPTATION_INDICATION; + sai->sai_flags = 0; + sai->sai_length = sizeof(struct sctp_adaptation_event); +@@ -3093,6 +3099,7 @@ sctp_notify_partial_delivery_indication(struct sct + return; + SCTP_BUF_LEN(m_notify) = 0; + pdapi = mtod(m_notify, struct sctp_pdapi_event *); ++ memset(pdapi, 0, sizeof(struct sctp_pdapi_event)); + pdapi->pdapi_type = SCTP_PARTIAL_DELIVERY_EVENT; + pdapi->pdapi_flags = 0; + pdapi->pdapi_length = sizeof(struct sctp_pdapi_event); +@@ -3202,6 +3209,7 @@ sctp_notify_shutdown_event(struct sctp_tcb *stcb) + /* no space left */ + return; + sse = mtod(m_notify, struct sctp_shutdown_event *); ++ memset(sse, 0, sizeof(struct sctp_shutdown_event)); + sse->sse_type = SCTP_SHUTDOWN_EVENT; + sse->sse_flags = 0; + sse->sse_length = sizeof(struct sctp_shutdown_event); +@@ -3252,6 +3260,7 @@ sctp_notify_sender_dry_event(struct sctp_tcb *stcb + } + SCTP_BUF_LEN(m_notify) = 0; + event = mtod(m_notify, struct sctp_sender_dry_event *); ++ memset(event, 0, sizeof(struct sctp_sender_dry_event)); + event->sender_dry_type = SCTP_SENDER_DRY_EVENT; + event->sender_dry_flags = 0; + event->sender_dry_length = sizeof(struct sctp_sender_dry_event); +@@ -3284,7 +3293,6 @@ sctp_notify_stream_reset_add(struct sctp_tcb *stcb + struct mbuf *m_notify; + struct sctp_queued_to_read *control; + struct sctp_stream_change_event *stradd; +- int len; + + if ((stcb == NULL) || + (sctp_stcb_is_feature_off(stcb->sctp_ep, stcb, SCTP_PCB_FLAGS_STREAM_CHANGEEVNT))) { +@@ -3297,25 +3305,20 @@ sctp_notify_stream_reset_add(struct sctp_tcb *stcb + return; + } + stcb->asoc.peer_req_out = 0; +- m_notify = sctp_get_mbuf_for_msg(MCLBYTES, 0, M_NOWAIT, 1, MT_DATA); ++ m_notify = sctp_get_mbuf_for_msg(sizeof(struct sctp_stream_change_event), 0, M_NOWAIT, 1, MT_DATA); + if (m_notify == NULL) + /* no space left */ + return; + SCTP_BUF_LEN(m_notify) = 0; +- len = sizeof(struct sctp_stream_change_event); +- if (len > M_TRAILINGSPACE(m_notify)) { +- /* never enough room */ +- sctp_m_freem(m_notify); +- return; +- } + stradd = mtod(m_notify, struct sctp_stream_change_event *); ++ memset(stradd, 0, sizeof(struct sctp_stream_change_event)); + stradd->strchange_type = SCTP_STREAM_CHANGE_EVENT; + stradd->strchange_flags = flag; +- stradd->strchange_length = len; ++ stradd->strchange_length = sizeof(struct sctp_stream_change_event); + stradd->strchange_assoc_id = sctp_get_associd(stcb); + stradd->strchange_instrms = numberin; + stradd->strchange_outstrms = numberout; +- SCTP_BUF_LEN(m_notify) = len; ++ SCTP_BUF_LEN(m_notify) = sizeof(struct sctp_stream_change_event); + SCTP_BUF_NEXT(m_notify) = NULL; + if (sctp_sbspace(&stcb->asoc, &stcb->sctp_socket->so_rcv) < SCTP_BUF_LEN(m_notify)) { + /* no space */ +@@ -3346,7 +3349,6 @@ sctp_notify_stream_reset_tsn(struct sctp_tcb *stcb + struct mbuf *m_notify; + struct sctp_queued_to_read *control; + struct sctp_assoc_reset_event *strasoc; +- int len; + + if ((stcb == NULL) || + (sctp_stcb_is_feature_off(stcb->sctp_ep, stcb, SCTP_PCB_FLAGS_ASSOC_RESETEVNT))) { +@@ -3353,25 +3355,20 @@ sctp_notify_stream_reset_tsn(struct sctp_tcb *stcb + /* event not enabled */ + return; + } +- m_notify = sctp_get_mbuf_for_msg(MCLBYTES, 0, M_NOWAIT, 1, MT_DATA); ++ m_notify = sctp_get_mbuf_for_msg(sizeof(struct sctp_assoc_reset_event), 0, M_NOWAIT, 1, MT_DATA); + if (m_notify == NULL) + /* no space left */ + return; + SCTP_BUF_LEN(m_notify) = 0; +- len = sizeof(struct sctp_assoc_reset_event); +- if (len > M_TRAILINGSPACE(m_notify)) { +- /* never enough room */ +- sctp_m_freem(m_notify); +- return; +- } + strasoc = mtod(m_notify, struct sctp_assoc_reset_event *); ++ memset(strasoc, 0, sizeof(struct sctp_assoc_reset_event)); + strasoc->assocreset_type = SCTP_ASSOC_RESET_EVENT; + strasoc->assocreset_flags = flag; +- strasoc->assocreset_length = len; ++ strasoc->assocreset_length = sizeof(struct sctp_assoc_reset_event); + strasoc->assocreset_assoc_id = sctp_get_associd(stcb); + strasoc->assocreset_local_tsn = sending_tsn; + strasoc->assocreset_remote_tsn = recv_tsn; +- SCTP_BUF_LEN(m_notify) = len; ++ SCTP_BUF_LEN(m_notify) = sizeof(struct sctp_assoc_reset_event); + SCTP_BUF_NEXT(m_notify) = NULL; + if (sctp_sbspace(&stcb->asoc, &stcb->sctp_socket->so_rcv) < SCTP_BUF_LEN(m_notify)) { + /* no space */ +@@ -3424,6 +3421,7 @@ sctp_notify_stream_reset(struct sctp_tcb *stcb, + return; + } + strreset = mtod(m_notify, struct sctp_stream_reset_event *); ++ memset(strreset, 0, len); + strreset->strreset_type = SCTP_STREAM_RESET_EVENT; + strreset->strreset_flags = flag; + strreset->strreset_length = len; +@@ -6236,9 +6234,12 @@ sctp_soreceive(struct socket *so, + fromlen = 0; + } + ++ if (filling_sinfo) { ++ memset(&sinfo, 0, sizeof(struct sctp_extrcvinfo)); ++ } + error = sctp_sorecvmsg(so, uio, mp0, from, fromlen, flagsp, + (struct sctp_sndrcvinfo *)&sinfo, filling_sinfo); +- if ((controlp) && (filling_sinfo)) { ++ if (controlp != NULL) { + /* copy back the sinfo in a CMSG format */ + if (filling_sinfo) + *controlp = sctp_build_ctl_nchunk(inp, Added: user/cperciva/freebsd-update-build/patches/8.4-RELEASE/13-EN-14:09.jail ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ user/cperciva/freebsd-update-build/patches/8.4-RELEASE/13-EN-14:09.jail Tue Sep 2 14:08:27 2014 (r270965) @@ -0,0 +1,15 @@ +Index: etc/rc.d/jail +=================================================================== +--- etc/rc.d/jail (revision 268273) ++++ etc/rc.d/jail (working copy) +@@ -647,7 +647,9 @@ jail_start() + done + + eval ${_setfib} jail -n ${_jail} ${_flags} -i -c path=${_rootdir} host.hostname=${_hostname} \ +- ip4.addr=\"${_addrl}\" ip6.addr=\"${_addr6l}\" ${_parameters} command=${_exec_start} > ${_tmp_jail} 2>&1 ++ ${_addrl:+ip4.addr=\"${_addrl}\"} ${_addr6l:+ip6.addr=\"${_addr6l}\"} \ ++ ${_parameters} command=${_exec_start} > ${_tmp_jail} 2>&1 \ ++ m_len = 0; + KASSERT(CMSG_SPACE((u_int)size) <= M_TRAILINGSPACE(m), + ("sbcreatecontrol: short mbuf")); ++ /* ++ * Don't leave the padding between the msg header and the ++ * cmsg data and the padding after the cmsg data un-initialized. ++ */ ++ bzero(cp, CMSG_SPACE((u_int)size)); + if (p != NULL) + (void)memcpy(CMSG_DATA(cp), p, size); + m->m_len = CMSG_SPACE(size); +Index: sys/netinet/sctp_auth.c +=================================================================== +--- sys/netinet/sctp_auth.c (revision 268273) ++++ sys/netinet/sctp_auth.c (working copy) +@@ -1790,6 +1790,7 @@ sctp_notify_authentication(struct sctp_tcb *stcb, + + SCTP_BUF_LEN(m_notify) = 0; + auth = mtod(m_notify, struct sctp_authkey_event *); ++ memset(auth, 0, sizeof(struct sctp_authkey_event)); + auth->auth_type = SCTP_AUTHENTICATION_EVENT; + auth->auth_flags = 0; + auth->auth_length = sizeof(*auth); +Index: sys/netinet/sctp_indata.c +=================================================================== +--- sys/netinet/sctp_indata.c (revision 268273) ++++ sys/netinet/sctp_indata.c (working copy) +@@ -250,6 +250,11 @@ sctp_build_ctl_nchunk(struct sctp_inpcb *inp, stru + + /* We need a CMSG header followed by the struct */ + cmh = mtod(ret, struct cmsghdr *); ++ /* ++ * Make sure that there is no un-initialized padding between the ++ * cmsg header and cmsg data and after the cmsg data. ++ */ ++ memset(cmh, 0, len); + if (sctp_is_feature_on(inp, SCTP_PCB_FLAGS_RECVRCVINFO)) { + cmh->cmsg_level = IPPROTO_SCTP; + cmh->cmsg_len = CMSG_LEN(sizeof(struct sctp_rcvinfo)); +Index: sys/netinet/sctputil.c +=================================================================== +--- sys/netinet/sctputil.c (revision 268273) ++++ sys/netinet/sctputil.c (working copy) +@@ -2622,6 +2622,7 @@ sctp_notify_assoc_change(uint16_t state, struct sc + } + SCTP_BUF_NEXT(m_notify) = NULL; + sac = mtod(m_notify, struct sctp_assoc_change *); ++ memset(sac, 0, notif_len); + sac->sac_type = SCTP_ASSOC_CHANGE; + sac->sac_flags = 0; + sac->sac_length = sizeof(struct sctp_assoc_change); +@@ -2835,11 +2836,10 @@ sctp_notify_send_failed(struct sctp_tcb *stcb, uin + if (m_notify == NULL) + /* no space left */ + return; +- length += chk->send_size; +- length -= sizeof(struct sctp_data_chunk); + SCTP_BUF_LEN(m_notify) = 0; + if (sctp_stcb_is_feature_on(stcb->sctp_ep, stcb, SCTP_PCB_FLAGS_RECVNSENDFAILEVNT)) { + ssfe = mtod(m_notify, struct sctp_send_failed_event *); ++ memset(ssfe, 0, length); + ssfe->ssfe_type = SCTP_SEND_FAILED_EVENT; + if (sent) { + ssfe->ssfe_flags = SCTP_DATA_SENT; +@@ -2846,10 +2846,11 @@ sctp_notify_send_failed(struct sctp_tcb *stcb, uin + } else { + ssfe->ssfe_flags = SCTP_DATA_UNSENT; + } ++ length += chk->send_size; ++ length -= sizeof(struct sctp_data_chunk); + ssfe->ssfe_length = length; + ssfe->ssfe_error = error; + /* not exactly what the user sent in, but should be close :) */ +- bzero(&ssfe->ssfe_info, sizeof(ssfe->ssfe_info)); + ssfe->ssfe_info.snd_sid = chk->rec.data.stream_number; + ssfe->ssfe_info.snd_flags = chk->rec.data.rcv_flags; + ssfe->ssfe_info.snd_ppid = chk->rec.data.payloadtype; +@@ -2859,6 +2860,7 @@ sctp_notify_send_failed(struct sctp_tcb *stcb, uin + SCTP_BUF_LEN(m_notify) = sizeof(struct sctp_send_failed_event); + } else { + ssf = mtod(m_notify, struct sctp_send_failed *); ++ memset(ssf, 0, length); + ssf->ssf_type = SCTP_SEND_FAILED; + if (sent) { + ssf->ssf_flags = SCTP_DATA_SENT; +@@ -2865,6 +2867,8 @@ sctp_notify_send_failed(struct sctp_tcb *stcb, uin + } else { + ssf->ssf_flags = SCTP_DATA_UNSENT; + } ++ length += chk->send_size; ++ length -= sizeof(struct sctp_data_chunk); + ssf->ssf_length = length; + ssf->ssf_error = error; + /* not exactly what the user sent in, but should be close :) */ +@@ -2948,16 +2952,16 @@ sctp_notify_send_failed2(struct sctp_tcb *stcb, ui + /* no space left */ + return; + } +- length += sp->length; + SCTP_BUF_LEN(m_notify) = 0; + if (sctp_stcb_is_feature_on(stcb->sctp_ep, stcb, SCTP_PCB_FLAGS_RECVNSENDFAILEVNT)) { + ssfe = mtod(m_notify, struct sctp_send_failed_event *); ++ memset(ssfe, 0, length); + ssfe->ssfe_type = SCTP_SEND_FAILED_EVENT; + ssfe->ssfe_flags = SCTP_DATA_UNSENT; ++ length += sp->length; + ssfe->ssfe_length = length; + ssfe->ssfe_error = error; + /* not exactly what the user sent in, but should be close :) */ +- bzero(&ssfe->ssfe_info, sizeof(ssfe->ssfe_info)); + ssfe->ssfe_info.snd_sid = sp->stream; + if (sp->some_taken) { + ssfe->ssfe_info.snd_flags = SCTP_DATA_LAST_FRAG; +@@ -2971,12 +2975,13 @@ sctp_notify_send_failed2(struct sctp_tcb *stcb, ui + SCTP_BUF_LEN(m_notify) = sizeof(struct sctp_send_failed_event); + } else { + ssf = mtod(m_notify, struct sctp_send_failed *); ++ memset(ssf, 0, length); + ssf->ssf_type = SCTP_SEND_FAILED; + ssf->ssf_flags = SCTP_DATA_UNSENT; ++ length += sp->length; + ssf->ssf_length = length; + ssf->ssf_error = error; + /* not exactly what the user sent in, but should be close :) */ +- bzero(&ssf->ssf_info, sizeof(ssf->ssf_info)); + ssf->ssf_info.sinfo_stream = sp->stream; + ssf->ssf_info.sinfo_ssn = 0; + if (sp->some_taken) { +@@ -3038,6 +3043,7 @@ sctp_notify_adaptation_layer(struct sctp_tcb *stcb + return; + SCTP_BUF_LEN(m_notify) = 0; + sai = mtod(m_notify, struct sctp_adaptation_event *); ++ memset(sai, 0, sizeof(struct sctp_adaptation_event)); + sai->sai_type = SCTP_ADAPTATION_INDICATION; + sai->sai_flags = 0; + sai->sai_length = sizeof(struct sctp_adaptation_event); +@@ -3093,6 +3099,7 @@ sctp_notify_partial_delivery_indication(struct sct + return; + SCTP_BUF_LEN(m_notify) = 0; + pdapi = mtod(m_notify, struct sctp_pdapi_event *); ++ memset(pdapi, 0, sizeof(struct sctp_pdapi_event)); + pdapi->pdapi_type = SCTP_PARTIAL_DELIVERY_EVENT; + pdapi->pdapi_flags = 0; + pdapi->pdapi_length = sizeof(struct sctp_pdapi_event); +@@ -3202,6 +3209,7 @@ sctp_notify_shutdown_event(struct sctp_tcb *stcb) + /* no space left */ + return; + sse = mtod(m_notify, struct sctp_shutdown_event *); ++ memset(sse, 0, sizeof(struct sctp_shutdown_event)); + sse->sse_type = SCTP_SHUTDOWN_EVENT; + sse->sse_flags = 0; + sse->sse_length = sizeof(struct sctp_shutdown_event); +@@ -3252,6 +3260,7 @@ sctp_notify_sender_dry_event(struct sctp_tcb *stcb + } + SCTP_BUF_LEN(m_notify) = 0; + event = mtod(m_notify, struct sctp_sender_dry_event *); ++ memset(event, 0, sizeof(struct sctp_sender_dry_event)); + event->sender_dry_type = SCTP_SENDER_DRY_EVENT; + event->sender_dry_flags = 0; + event->sender_dry_length = sizeof(struct sctp_sender_dry_event); +@@ -3284,7 +3293,6 @@ sctp_notify_stream_reset_add(struct sctp_tcb *stcb + struct mbuf *m_notify; + struct sctp_queued_to_read *control; + struct sctp_stream_change_event *stradd; +- int len; + + if ((stcb == NULL) || + (sctp_stcb_is_feature_off(stcb->sctp_ep, stcb, SCTP_PCB_FLAGS_STREAM_CHANGEEVNT))) { +@@ -3297,25 +3305,20 @@ sctp_notify_stream_reset_add(struct sctp_tcb *stcb + return; + } + stcb->asoc.peer_req_out = 0; +- m_notify = sctp_get_mbuf_for_msg(MCLBYTES, 0, M_DONTWAIT, 1, MT_DATA); ++ m_notify = sctp_get_mbuf_for_msg(sizeof(struct sctp_stream_change_event), 0, M_DONTWAIT, 1, MT_DATA); + if (m_notify == NULL) + /* no space left */ + return; + SCTP_BUF_LEN(m_notify) = 0; +- len = sizeof(struct sctp_stream_change_event); +- if (len > M_TRAILINGSPACE(m_notify)) { +- /* never enough room */ +- sctp_m_freem(m_notify); +- return; +- } + stradd = mtod(m_notify, struct sctp_stream_change_event *); ++ memset(stradd, 0, sizeof(struct sctp_stream_change_event)); + stradd->strchange_type = SCTP_STREAM_CHANGE_EVENT; + stradd->strchange_flags = flag; +- stradd->strchange_length = len; ++ stradd->strchange_length = sizeof(struct sctp_stream_change_event); + stradd->strchange_assoc_id = sctp_get_associd(stcb); + stradd->strchange_instrms = numberin; + stradd->strchange_outstrms = numberout; +- SCTP_BUF_LEN(m_notify) = len; ++ SCTP_BUF_LEN(m_notify) = sizeof(struct sctp_stream_change_event); + SCTP_BUF_NEXT(m_notify) = NULL; + if (sctp_sbspace(&stcb->asoc, &stcb->sctp_socket->so_rcv) < SCTP_BUF_LEN(m_notify)) { + /* no space */ +@@ -3346,7 +3349,6 @@ sctp_notify_stream_reset_tsn(struct sctp_tcb *stcb + struct mbuf *m_notify; + struct sctp_queued_to_read *control; + struct sctp_assoc_reset_event *strasoc; +- int len; + + if ((stcb == NULL) || + (sctp_stcb_is_feature_off(stcb->sctp_ep, stcb, SCTP_PCB_FLAGS_ASSOC_RESETEVNT))) { +@@ -3353,25 +3355,20 @@ sctp_notify_stream_reset_tsn(struct sctp_tcb *stcb + /* event not enabled */ + return; + } +- m_notify = sctp_get_mbuf_for_msg(MCLBYTES, 0, M_DONTWAIT, 1, MT_DATA); ++ m_notify = sctp_get_mbuf_for_msg(sizeof(struct sctp_assoc_reset_event), 0, M_DONTWAIT, 1, MT_DATA); + if (m_notify == NULL) + /* no space left */ + return; + SCTP_BUF_LEN(m_notify) = 0; +- len = sizeof(struct sctp_assoc_reset_event); +- if (len > M_TRAILINGSPACE(m_notify)) { +- /* never enough room */ +- sctp_m_freem(m_notify); +- return; +- } + strasoc = mtod(m_notify, struct sctp_assoc_reset_event *); ++ memset(strasoc, 0, sizeof(struct sctp_assoc_reset_event)); + strasoc->assocreset_type = SCTP_ASSOC_RESET_EVENT; + strasoc->assocreset_flags = flag; +- strasoc->assocreset_length = len; ++ strasoc->assocreset_length = sizeof(struct sctp_assoc_reset_event); + strasoc->assocreset_assoc_id = sctp_get_associd(stcb); + strasoc->assocreset_local_tsn = sending_tsn; + strasoc->assocreset_remote_tsn = recv_tsn; +- SCTP_BUF_LEN(m_notify) = len; ++ SCTP_BUF_LEN(m_notify) = sizeof(struct sctp_assoc_reset_event); + SCTP_BUF_NEXT(m_notify) = NULL; + if (sctp_sbspace(&stcb->asoc, &stcb->sctp_socket->so_rcv) < SCTP_BUF_LEN(m_notify)) { + /* no space */ +@@ -3424,6 +3421,7 @@ sctp_notify_stream_reset(struct sctp_tcb *stcb, + return; + } + strreset = mtod(m_notify, struct sctp_stream_reset_event *); ++ memset(strreset, 0, len); + strreset->strreset_type = SCTP_STREAM_RESET_EVENT; + strreset->strreset_flags = flag; + strreset->strreset_length = len; +@@ -6236,9 +6234,12 @@ sctp_soreceive(struct socket *so, + fromlen = 0; + } + ++ if (filling_sinfo) { ++ memset(&sinfo, 0, sizeof(struct sctp_extrcvinfo)); ++ } + error = sctp_sorecvmsg(so, uio, mp0, from, fromlen, flagsp, + (struct sctp_sndrcvinfo *)&sinfo, filling_sinfo); +- if ((controlp) && (filling_sinfo)) { ++ if (controlp != NULL) { + /* copy back the sinfo in a CMSG format */ + if (filling_sinfo) + *controlp = sctp_build_ctl_nchunk(inp, Added: user/cperciva/freebsd-update-build/patches/9.1-RELEASE/17-SA-14:17.kmem ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ user/cperciva/freebsd-update-build/patches/9.1-RELEASE/17-SA-14:17.kmem Tue Sep 2 14:08:27 2014 (r270965) @@ -0,0 +1,263 @@ +Index: sys/kern/uipc_sockbuf.c +=================================================================== +--- sys/kern/uipc_sockbuf.c (revision 268273) ++++ sys/kern/uipc_sockbuf.c (working copy) +@@ -1011,6 +1011,11 @@ sbcreatecontrol(caddr_t p, int size, int type, int + m->m_len = 0; + KASSERT(CMSG_SPACE((u_int)size) <= M_TRAILINGSPACE(m), + ("sbcreatecontrol: short mbuf")); ++ /* ++ * Don't leave the padding between the msg header and the ++ * cmsg data and the padding after the cmsg data un-initialized. ++ */ ++ bzero(cp, CMSG_SPACE((u_int)size)); + if (p != NULL) + (void)memcpy(CMSG_DATA(cp), p, size); + m->m_len = CMSG_SPACE(size); +Index: sys/netinet/sctp_auth.c +=================================================================== +--- sys/netinet/sctp_auth.c (revision 268273) ++++ sys/netinet/sctp_auth.c (working copy) +@@ -1876,6 +1876,7 @@ sctp_notify_authentication(struct sctp_tcb *stcb, + + SCTP_BUF_LEN(m_notify) = 0; + auth = mtod(m_notify, struct sctp_authkey_event *); ++ memset(auth, 0, sizeof(struct sctp_authkey_event)); + auth->auth_type = SCTP_AUTHENTICATION_EVENT; + auth->auth_flags = 0; + auth->auth_length = sizeof(*auth); +Index: sys/netinet/sctp_indata.c +=================================================================== +--- sys/netinet/sctp_indata.c (revision 268273) ++++ sys/netinet/sctp_indata.c (working copy) +@@ -250,6 +250,11 @@ sctp_build_ctl_nchunk(struct sctp_inpcb *inp, stru + + /* We need a CMSG header followed by the struct */ + cmh = mtod(ret, struct cmsghdr *); ++ /* ++ * Make sure that there is no un-initialized padding between the ++ * cmsg header and cmsg data and after the cmsg data. ++ */ ++ memset(cmh, 0, len); + if (sctp_is_feature_on(inp, SCTP_PCB_FLAGS_RECVRCVINFO)) { + cmh->cmsg_level = IPPROTO_SCTP; + cmh->cmsg_len = CMSG_LEN(sizeof(struct sctp_rcvinfo)); +Index: sys/netinet/sctputil.c +=================================================================== +--- sys/netinet/sctputil.c (revision 268273) ++++ sys/netinet/sctputil.c (working copy) +@@ -2628,6 +2628,7 @@ sctp_notify_assoc_change(uint16_t state, struct sc + } + SCTP_BUF_NEXT(m_notify) = NULL; + sac = mtod(m_notify, struct sctp_assoc_change *); ++ memset(sac, 0, notif_len); + sac->sac_type = SCTP_ASSOC_CHANGE; + sac->sac_flags = 0; + sac->sac_length = sizeof(struct sctp_assoc_change); +@@ -2834,11 +2835,10 @@ sctp_notify_send_failed(struct sctp_tcb *stcb, uin + if (m_notify == NULL) + /* no space left */ + return; +- length += chk->send_size; +- length -= sizeof(struct sctp_data_chunk); + SCTP_BUF_LEN(m_notify) = 0; + if (sctp_stcb_is_feature_on(stcb->sctp_ep, stcb, SCTP_PCB_FLAGS_RECVNSENDFAILEVNT)) { + ssfe = mtod(m_notify, struct sctp_send_failed_event *); ++ memset(ssfe, 0, length); + ssfe->ssfe_type = SCTP_SEND_FAILED_EVENT; + if (sent) { + ssfe->ssfe_flags = SCTP_DATA_SENT; +@@ -2845,10 +2845,11 @@ sctp_notify_send_failed(struct sctp_tcb *stcb, uin + } else { + ssfe->ssfe_flags = SCTP_DATA_UNSENT; + } ++ length += chk->send_size; ++ length -= sizeof(struct sctp_data_chunk); + ssfe->ssfe_length = length; + ssfe->ssfe_error = error; + /* not exactly what the user sent in, but should be close :) */ +- bzero(&ssfe->ssfe_info, sizeof(ssfe->ssfe_info)); + ssfe->ssfe_info.snd_sid = chk->rec.data.stream_number; + ssfe->ssfe_info.snd_flags = chk->rec.data.rcv_flags; + ssfe->ssfe_info.snd_ppid = chk->rec.data.payloadtype; +@@ -2858,6 +2859,7 @@ sctp_notify_send_failed(struct sctp_tcb *stcb, uin + SCTP_BUF_LEN(m_notify) = sizeof(struct sctp_send_failed_event); + } else { + ssf = mtod(m_notify, struct sctp_send_failed *); ++ memset(ssf, 0, length); + ssf->ssf_type = SCTP_SEND_FAILED; + if (sent) { + ssf->ssf_flags = SCTP_DATA_SENT; +@@ -2864,6 +2866,8 @@ sctp_notify_send_failed(struct sctp_tcb *stcb, uin + } else { + ssf->ssf_flags = SCTP_DATA_UNSENT; + } ++ length += chk->send_size; ++ length -= sizeof(struct sctp_data_chunk); + ssf->ssf_length = length; + ssf->ssf_error = error; + /* not exactly what the user sent in, but should be close :) */ +@@ -2947,16 +2951,16 @@ sctp_notify_send_failed2(struct sctp_tcb *stcb, ui + /* no space left */ + return; + } +- length += sp->length; + SCTP_BUF_LEN(m_notify) = 0; + if (sctp_stcb_is_feature_on(stcb->sctp_ep, stcb, SCTP_PCB_FLAGS_RECVNSENDFAILEVNT)) { + ssfe = mtod(m_notify, struct sctp_send_failed_event *); ++ memset(ssfe, 0, length); + ssfe->ssfe_type = SCTP_SEND_FAILED_EVENT; + ssfe->ssfe_flags = SCTP_DATA_UNSENT; ++ length += sp->length; + ssfe->ssfe_length = length; + ssfe->ssfe_error = error; + /* not exactly what the user sent in, but should be close :) */ +- bzero(&ssfe->ssfe_info, sizeof(ssfe->ssfe_info)); + ssfe->ssfe_info.snd_sid = sp->stream; + if (sp->some_taken) { + ssfe->ssfe_info.snd_flags = SCTP_DATA_LAST_FRAG; +@@ -2970,12 +2974,13 @@ sctp_notify_send_failed2(struct sctp_tcb *stcb, ui + SCTP_BUF_LEN(m_notify) = sizeof(struct sctp_send_failed_event); + } else { + ssf = mtod(m_notify, struct sctp_send_failed *); ++ memset(ssf, 0, length); + ssf->ssf_type = SCTP_SEND_FAILED; + ssf->ssf_flags = SCTP_DATA_UNSENT; ++ length += sp->length; + ssf->ssf_length = length; + ssf->ssf_error = error; + /* not exactly what the user sent in, but should be close :) */ +- bzero(&ssf->ssf_info, sizeof(ssf->ssf_info)); + ssf->ssf_info.sinfo_stream = sp->stream; + ssf->ssf_info.sinfo_ssn = sp->strseq; + if (sp->some_taken) { +@@ -3037,6 +3042,7 @@ sctp_notify_adaptation_layer(struct sctp_tcb *stcb + return; + SCTP_BUF_LEN(m_notify) = 0; + sai = mtod(m_notify, struct sctp_adaptation_event *); ++ memset(sai, 0, sizeof(struct sctp_adaptation_event)); + sai->sai_type = SCTP_ADAPTATION_INDICATION; + sai->sai_flags = 0; + sai->sai_length = sizeof(struct sctp_adaptation_event); +@@ -3092,6 +3098,7 @@ sctp_notify_partial_delivery_indication(struct sct + return; + SCTP_BUF_LEN(m_notify) = 0; + pdapi = mtod(m_notify, struct sctp_pdapi_event *); ++ memset(pdapi, 0, sizeof(struct sctp_pdapi_event)); + pdapi->pdapi_type = SCTP_PARTIAL_DELIVERY_EVENT; + pdapi->pdapi_flags = 0; + pdapi->pdapi_length = sizeof(struct sctp_pdapi_event); +@@ -3201,6 +3208,7 @@ sctp_notify_shutdown_event(struct sctp_tcb *stcb) + /* no space left */ + return; + sse = mtod(m_notify, struct sctp_shutdown_event *); ++ memset(sse, 0, sizeof(struct sctp_shutdown_event)); + sse->sse_type = SCTP_SHUTDOWN_EVENT; + sse->sse_flags = 0; + sse->sse_length = sizeof(struct sctp_shutdown_event); +@@ -3251,6 +3259,7 @@ sctp_notify_sender_dry_event(struct sctp_tcb *stcb + } + SCTP_BUF_LEN(m_notify) = 0; + event = mtod(m_notify, struct sctp_sender_dry_event *); ++ memset(event, 0, sizeof(struct sctp_sender_dry_event)); + event->sender_dry_type = SCTP_SENDER_DRY_EVENT; + event->sender_dry_flags = 0; + event->sender_dry_length = sizeof(struct sctp_sender_dry_event); +@@ -3283,7 +3292,6 @@ sctp_notify_stream_reset_add(struct sctp_tcb *stcb + struct mbuf *m_notify; + struct sctp_queued_to_read *control; + struct sctp_stream_change_event *stradd; +- int len; + + if ((stcb == NULL) || + (sctp_stcb_is_feature_off(stcb->sctp_ep, stcb, SCTP_PCB_FLAGS_STREAM_CHANGEEVNT))) { +@@ -3296,25 +3304,20 @@ sctp_notify_stream_reset_add(struct sctp_tcb *stcb + return; + } + stcb->asoc.peer_req_out = 0; +- m_notify = sctp_get_mbuf_for_msg(MCLBYTES, 0, M_DONTWAIT, 1, MT_DATA); ++ m_notify = sctp_get_mbuf_for_msg(sizeof(struct sctp_stream_change_event), 0, M_DONTWAIT, 1, MT_DATA); + if (m_notify == NULL) + /* no space left */ + return; + SCTP_BUF_LEN(m_notify) = 0; +- len = sizeof(struct sctp_stream_change_event); +- if (len > M_TRAILINGSPACE(m_notify)) { +- /* never enough room */ +- sctp_m_freem(m_notify); +- return; +- } + stradd = mtod(m_notify, struct sctp_stream_change_event *); ++ memset(stradd, 0, sizeof(struct sctp_stream_change_event)); + stradd->strchange_type = SCTP_STREAM_CHANGE_EVENT; + stradd->strchange_flags = flag; +- stradd->strchange_length = len; ++ stradd->strchange_length = sizeof(struct sctp_stream_change_event); + stradd->strchange_assoc_id = sctp_get_associd(stcb); + stradd->strchange_instrms = numberin; + stradd->strchange_outstrms = numberout; +- SCTP_BUF_LEN(m_notify) = len; ++ SCTP_BUF_LEN(m_notify) = sizeof(struct sctp_stream_change_event); + SCTP_BUF_NEXT(m_notify) = NULL; + if (sctp_sbspace(&stcb->asoc, &stcb->sctp_socket->so_rcv) < SCTP_BUF_LEN(m_notify)) { + /* no space */ +@@ -3345,7 +3348,6 @@ sctp_notify_stream_reset_tsn(struct sctp_tcb *stcb + struct mbuf *m_notify; + struct sctp_queued_to_read *control; + struct sctp_assoc_reset_event *strasoc; +- int len; + + if ((stcb == NULL) || + (sctp_stcb_is_feature_off(stcb->sctp_ep, stcb, SCTP_PCB_FLAGS_ASSOC_RESETEVNT))) { +@@ -3352,25 +3354,20 @@ sctp_notify_stream_reset_tsn(struct sctp_tcb *stcb + /* event not enabled */ + return; + } +- m_notify = sctp_get_mbuf_for_msg(MCLBYTES, 0, M_DONTWAIT, 1, MT_DATA); ++ m_notify = sctp_get_mbuf_for_msg(sizeof(struct sctp_assoc_reset_event), 0, M_DONTWAIT, 1, MT_DATA); + if (m_notify == NULL) + /* no space left */ + return; + SCTP_BUF_LEN(m_notify) = 0; +- len = sizeof(struct sctp_assoc_reset_event); +- if (len > M_TRAILINGSPACE(m_notify)) { +- /* never enough room */ +- sctp_m_freem(m_notify); +- return; +- } + strasoc = mtod(m_notify, struct sctp_assoc_reset_event *); ++ memset(strasoc, 0, sizeof(struct sctp_assoc_reset_event)); + strasoc->assocreset_type = SCTP_ASSOC_RESET_EVENT; + strasoc->assocreset_flags = flag; +- strasoc->assocreset_length = len; ++ strasoc->assocreset_length = sizeof(struct sctp_assoc_reset_event); + strasoc->assocreset_assoc_id = sctp_get_associd(stcb); + strasoc->assocreset_local_tsn = sending_tsn; + strasoc->assocreset_remote_tsn = recv_tsn; +- SCTP_BUF_LEN(m_notify) = len; ++ SCTP_BUF_LEN(m_notify) = sizeof(struct sctp_assoc_reset_event); + SCTP_BUF_NEXT(m_notify) = NULL; + if (sctp_sbspace(&stcb->asoc, &stcb->sctp_socket->so_rcv) < SCTP_BUF_LEN(m_notify)) { + /* no space */ +@@ -3423,6 +3420,7 @@ sctp_notify_stream_reset(struct sctp_tcb *stcb, + return; + } + strreset = mtod(m_notify, struct sctp_stream_reset_event *); ++ memset(strreset, 0, len); + strreset->strreset_type = SCTP_STREAM_RESET_EVENT; + strreset->strreset_flags = flag; + strreset->strreset_length = len; +@@ -6261,9 +6259,12 @@ sctp_soreceive(struct socket *so, + fromlen = 0; + } + ++ if (filling_sinfo) { ++ memset(&sinfo, 0, sizeof(struct sctp_extrcvinfo)); ++ } + error = sctp_sorecvmsg(so, uio, mp0, from, fromlen, flagsp, + (struct sctp_sndrcvinfo *)&sinfo, filling_sinfo); +- if ((controlp) && (filling_sinfo)) { ++ if (controlp != NULL) { + /* copy back the sinfo in a CMSG format */ + if (filling_sinfo) + *controlp = sctp_build_ctl_nchunk(inp, Added: user/cperciva/freebsd-update-build/patches/9.2-RELEASE/10-SA-14:17.kmem ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ user/cperciva/freebsd-update-build/patches/9.2-RELEASE/10-SA-14:17.kmem Tue Sep 2 14:08:27 2014 (r270965) @@ -0,0 +1,263 @@ +Index: sys/kern/uipc_sockbuf.c +=================================================================== +--- sys/kern/uipc_sockbuf.c (revision 268273) ++++ sys/kern/uipc_sockbuf.c (working copy) +@@ -1045,6 +1045,11 @@ sbcreatecontrol(caddr_t p, int size, int type, int + m->m_len = 0; + KASSERT(CMSG_SPACE((u_int)size) <= M_TRAILINGSPACE(m), + ("sbcreatecontrol: short mbuf")); ++ /* ++ * Don't leave the padding between the msg header and the ++ * cmsg data and the padding after the cmsg data un-initialized. ++ */ ++ bzero(cp, CMSG_SPACE((u_int)size)); + if (p != NULL) + (void)memcpy(CMSG_DATA(cp), p, size); + m->m_len = CMSG_SPACE(size); +Index: sys/netinet/sctp_auth.c +=================================================================== +--- sys/netinet/sctp_auth.c (revision 268273) ++++ sys/netinet/sctp_auth.c (working copy) +@@ -1790,6 +1790,7 @@ sctp_notify_authentication(struct sctp_tcb *stcb, + + SCTP_BUF_LEN(m_notify) = 0; + auth = mtod(m_notify, struct sctp_authkey_event *); ++ memset(auth, 0, sizeof(struct sctp_authkey_event)); + auth->auth_type = SCTP_AUTHENTICATION_EVENT; + auth->auth_flags = 0; + auth->auth_length = sizeof(*auth); +Index: sys/netinet/sctp_indata.c +=================================================================== +--- sys/netinet/sctp_indata.c (revision 268273) ++++ sys/netinet/sctp_indata.c (working copy) +@@ -250,6 +250,11 @@ sctp_build_ctl_nchunk(struct sctp_inpcb *inp, stru + + /* We need a CMSG header followed by the struct */ + cmh = mtod(ret, struct cmsghdr *); ++ /* ++ * Make sure that there is no un-initialized padding between the ++ * cmsg header and cmsg data and after the cmsg data. ++ */ ++ memset(cmh, 0, len); + if (sctp_is_feature_on(inp, SCTP_PCB_FLAGS_RECVRCVINFO)) { + cmh->cmsg_level = IPPROTO_SCTP; + cmh->cmsg_len = CMSG_LEN(sizeof(struct sctp_rcvinfo)); +Index: sys/netinet/sctputil.c +=================================================================== +--- sys/netinet/sctputil.c (revision 268273) ++++ sys/netinet/sctputil.c (working copy) +@@ -2622,6 +2622,7 @@ sctp_notify_assoc_change(uint16_t state, struct sc + } + SCTP_BUF_NEXT(m_notify) = NULL; + sac = mtod(m_notify, struct sctp_assoc_change *); ++ memset(sac, 0, notif_len); + sac->sac_type = SCTP_ASSOC_CHANGE; + sac->sac_flags = 0; + sac->sac_length = sizeof(struct sctp_assoc_change); +@@ -2835,11 +2836,10 @@ sctp_notify_send_failed(struct sctp_tcb *stcb, uin + if (m_notify == NULL) + /* no space left */ + return; +- length += chk->send_size; +- length -= sizeof(struct sctp_data_chunk); + SCTP_BUF_LEN(m_notify) = 0; + if (sctp_stcb_is_feature_on(stcb->sctp_ep, stcb, SCTP_PCB_FLAGS_RECVNSENDFAILEVNT)) { + ssfe = mtod(m_notify, struct sctp_send_failed_event *); ++ memset(ssfe, 0, length); + ssfe->ssfe_type = SCTP_SEND_FAILED_EVENT; + if (sent) { + ssfe->ssfe_flags = SCTP_DATA_SENT; +@@ -2846,10 +2846,11 @@ sctp_notify_send_failed(struct sctp_tcb *stcb, uin + } else { + ssfe->ssfe_flags = SCTP_DATA_UNSENT; + } ++ length += chk->send_size; ++ length -= sizeof(struct sctp_data_chunk); + ssfe->ssfe_length = length; + ssfe->ssfe_error = error; + /* not exactly what the user sent in, but should be close :) */ +- bzero(&ssfe->ssfe_info, sizeof(ssfe->ssfe_info)); + ssfe->ssfe_info.snd_sid = chk->rec.data.stream_number; + ssfe->ssfe_info.snd_flags = chk->rec.data.rcv_flags; + ssfe->ssfe_info.snd_ppid = chk->rec.data.payloadtype; +@@ -2859,6 +2860,7 @@ sctp_notify_send_failed(struct sctp_tcb *stcb, uin + SCTP_BUF_LEN(m_notify) = sizeof(struct sctp_send_failed_event); + } else { + ssf = mtod(m_notify, struct sctp_send_failed *); ++ memset(ssf, 0, length); + ssf->ssf_type = SCTP_SEND_FAILED; + if (sent) { + ssf->ssf_flags = SCTP_DATA_SENT; +@@ -2865,6 +2867,8 @@ sctp_notify_send_failed(struct sctp_tcb *stcb, uin + } else { + ssf->ssf_flags = SCTP_DATA_UNSENT; + } ++ length += chk->send_size; ++ length -= sizeof(struct sctp_data_chunk); + ssf->ssf_length = length; + ssf->ssf_error = error; + /* not exactly what the user sent in, but should be close :) */ +@@ -2948,16 +2952,16 @@ sctp_notify_send_failed2(struct sctp_tcb *stcb, ui + /* no space left */ + return; + } +- length += sp->length; + SCTP_BUF_LEN(m_notify) = 0; + if (sctp_stcb_is_feature_on(stcb->sctp_ep, stcb, SCTP_PCB_FLAGS_RECVNSENDFAILEVNT)) { + ssfe = mtod(m_notify, struct sctp_send_failed_event *); ++ memset(ssfe, 0, length); + ssfe->ssfe_type = SCTP_SEND_FAILED_EVENT; + ssfe->ssfe_flags = SCTP_DATA_UNSENT; ++ length += sp->length; + ssfe->ssfe_length = length; + ssfe->ssfe_error = error; + /* not exactly what the user sent in, but should be close :) */ +- bzero(&ssfe->ssfe_info, sizeof(ssfe->ssfe_info)); + ssfe->ssfe_info.snd_sid = sp->stream; + if (sp->some_taken) { + ssfe->ssfe_info.snd_flags = SCTP_DATA_LAST_FRAG; +@@ -2971,12 +2975,13 @@ sctp_notify_send_failed2(struct sctp_tcb *stcb, ui + SCTP_BUF_LEN(m_notify) = sizeof(struct sctp_send_failed_event); + } else { + ssf = mtod(m_notify, struct sctp_send_failed *); ++ memset(ssf, 0, length); + ssf->ssf_type = SCTP_SEND_FAILED; + ssf->ssf_flags = SCTP_DATA_UNSENT; ++ length += sp->length; + ssf->ssf_length = length; + ssf->ssf_error = error; + /* not exactly what the user sent in, but should be close :) */ +- bzero(&ssf->ssf_info, sizeof(ssf->ssf_info)); + ssf->ssf_info.sinfo_stream = sp->stream; + ssf->ssf_info.sinfo_ssn = 0; + if (sp->some_taken) { +@@ -3038,6 +3043,7 @@ sctp_notify_adaptation_layer(struct sctp_tcb *stcb + return; + SCTP_BUF_LEN(m_notify) = 0; + sai = mtod(m_notify, struct sctp_adaptation_event *); ++ memset(sai, 0, sizeof(struct sctp_adaptation_event)); + sai->sai_type = SCTP_ADAPTATION_INDICATION; + sai->sai_flags = 0; + sai->sai_length = sizeof(struct sctp_adaptation_event); +@@ -3093,6 +3099,7 @@ sctp_notify_partial_delivery_indication(struct sct + return; + SCTP_BUF_LEN(m_notify) = 0; + pdapi = mtod(m_notify, struct sctp_pdapi_event *); ++ memset(pdapi, 0, sizeof(struct sctp_pdapi_event)); + pdapi->pdapi_type = SCTP_PARTIAL_DELIVERY_EVENT; + pdapi->pdapi_flags = 0; + pdapi->pdapi_length = sizeof(struct sctp_pdapi_event); +@@ -3202,6 +3209,7 @@ sctp_notify_shutdown_event(struct sctp_tcb *stcb) + /* no space left */ + return; + sse = mtod(m_notify, struct sctp_shutdown_event *); ++ memset(sse, 0, sizeof(struct sctp_shutdown_event)); + sse->sse_type = SCTP_SHUTDOWN_EVENT; + sse->sse_flags = 0; + sse->sse_length = sizeof(struct sctp_shutdown_event); +@@ -3252,6 +3260,7 @@ sctp_notify_sender_dry_event(struct sctp_tcb *stcb + } + SCTP_BUF_LEN(m_notify) = 0; + event = mtod(m_notify, struct sctp_sender_dry_event *); ++ memset(event, 0, sizeof(struct sctp_sender_dry_event)); + event->sender_dry_type = SCTP_SENDER_DRY_EVENT; + event->sender_dry_flags = 0; + event->sender_dry_length = sizeof(struct sctp_sender_dry_event); +@@ -3284,7 +3293,6 @@ sctp_notify_stream_reset_add(struct sctp_tcb *stcb + struct mbuf *m_notify; + struct sctp_queued_to_read *control; + struct sctp_stream_change_event *stradd; +- int len; + + if ((stcb == NULL) || + (sctp_stcb_is_feature_off(stcb->sctp_ep, stcb, SCTP_PCB_FLAGS_STREAM_CHANGEEVNT))) { +@@ -3297,25 +3305,20 @@ sctp_notify_stream_reset_add(struct sctp_tcb *stcb + return; + } + stcb->asoc.peer_req_out = 0; +- m_notify = sctp_get_mbuf_for_msg(MCLBYTES, 0, M_DONTWAIT, 1, MT_DATA); ++ m_notify = sctp_get_mbuf_for_msg(sizeof(struct sctp_stream_change_event), 0, M_DONTWAIT, 1, MT_DATA); + if (m_notify == NULL) + /* no space left */ *** DIFF OUTPUT TRUNCATED AT 1000 LINES *** From owner-svn-src-user@FreeBSD.ORG Tue Sep 2 14:09:53 2014 Return-Path: Delivered-To: svn-src-user@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 2DB59B3D; Tue, 2 Sep 2014 14:09:53 +0000 (UTC) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:1900:2254:2068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 1866A1BD2; Tue, 2 Sep 2014 14:09:53 +0000 (UTC) Received: from svn.freebsd.org ([127.0.1.70]) by svn.freebsd.org (8.14.9/8.14.9) with ESMTP id s82E9r8d053341; Tue, 2 Sep 2014 14:09:53 GMT (envelope-from delphij@FreeBSD.org) Received: (from delphij@localhost) by svn.freebsd.org (8.14.9/8.14.9/Submit) id s82E9qo0053339; Tue, 2 Sep 2014 14:09:52 GMT (envelope-from delphij@FreeBSD.org) Message-Id: <201409021409.s82E9qo0053339@svn.freebsd.org> X-Authentication-Warning: svn.freebsd.org: delphij set sender to delphij@FreeBSD.org using -f From: Xin LI Date: Tue, 2 Sep 2014 14:09:52 +0000 (UTC) To: src-committers@freebsd.org, svn-src-user@freebsd.org Subject: svn commit: r270966 - user/cperciva/freebsd-update-build/patches/8.4-RELEASE X-SVN-Group: user MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-user@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "SVN commit messages for the experimental " user" src tree" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 02 Sep 2014 14:09:53 -0000 Author: delphij Date: Tue Sep 2 14:09:52 2014 New Revision: 270966 URL: http://svnweb.freebsd.org/changeset/base/270966 Log: Add two missed patches for 8.4-RELEASE. Added: user/cperciva/freebsd-update-build/patches/8.4-RELEASE/13-EN-14:08.heimdal user/cperciva/freebsd-update-build/patches/8.4-RELEASE/13-SA-14:16.file Added: user/cperciva/freebsd-update-build/patches/8.4-RELEASE/13-EN-14:08.heimdal ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ user/cperciva/freebsd-update-build/patches/8.4-RELEASE/13-EN-14:08.heimdal Tue Sep 2 14:09:52 2014 (r270966) @@ -0,0 +1,13 @@ +Index: crypto/heimdal/lib/gssapi/krb5/prf.c +=================================================================== +--- crypto/heimdal/lib/gssapi/krb5/prf.c (revision 267806) ++++ crypto/heimdal/lib/gssapi/krb5/prf.c (working copy) +@@ -117,7 +117,7 @@ _gsskrb5_pseudo_random(OM_uint32 *minor_status, + num = 0; + p = prf_out->value; + while(desired_output_len > 0) { +- _gsskrb5_encode_om_uint32(num, input.data); ++ _gsskrb5_encode_be_om_uint32(num, input.data); + ret = krb5_crypto_prf(context, crypto, &input, &output); + if (ret) { + OM_uint32 junk; Added: user/cperciva/freebsd-update-build/patches/8.4-RELEASE/13-SA-14:16.file ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ user/cperciva/freebsd-update-build/patches/8.4-RELEASE/13-SA-14:16.file Tue Sep 2 14:09:52 2014 (r270966) @@ -0,0 +1,1891 @@ +Index: contrib/file/ascmagic.c +=================================================================== +--- contrib/file/ascmagic.c (revision 267806) ++++ contrib/file/ascmagic.c (working copy) +@@ -151,7 +151,7 @@ file_ascmagic_with_encoding(struct magic_set *ms, + if ((utf8_end = encode_utf8(utf8_buf, mlen, ubuf, ulen)) == NULL) + goto done; + if ((rv = file_softmagic(ms, utf8_buf, (size_t)(utf8_end - utf8_buf), +- TEXTTEST)) != 0) ++ 0, TEXTTEST)) != 0) + goto done; + else + rv = -1; +Index: contrib/file/cdf.c +=================================================================== +--- contrib/file/cdf.c (revision 267806) ++++ contrib/file/cdf.c (working copy) +@@ -24,15 +24,18 @@ + * POSSIBILITY OF SUCH DAMAGE. + */ + /* +- * Parse composite document files, the format used in Microsoft Office +- * document files before they switched to zipped xml. ++ * Parse Composite Document Files, the format used in Microsoft Office ++ * document files before they switched to zipped XML. + * Info from: http://sc.openoffice.org/compdocfileformat.pdf ++ * ++ * N.B. This is the "Composite Document File" format, and not the ++ * "Compound Document Format", nor the "Channel Definition Format". + */ + + #include "file.h" + + #ifndef lint +-FILE_RCSID("@(#)$File: cdf.c,v 1.30 2009/05/06 14:29:47 christos Exp $") ++FILE_RCSID("@(#)$File: cdf.c,v 1.49 2012/02/20 20:04:37 christos Exp $") + #endif + + #include +@@ -44,6 +47,9 @@ + #include + #include + #include ++#ifdef HAVE_LIMITS_H ++#include ++#endif + + #ifndef EFTYPE + #define EFTYPE EINVAL +@@ -51,10 +57,6 @@ + + #include "cdf.h" + +-#ifndef __arraycount +-#define __arraycount(a) (sizeof(a) / sizeof(a[0])) +-#endif +- + #ifdef CDF_DEBUG + #define DPRINTF(a) printf a, fflush(stdout) + #else +@@ -68,19 +70,21 @@ static union { + + #define NEED_SWAP (cdf_bo.u == (uint32_t)0x01020304) + +-#define CDF_TOLE8(x) (NEED_SWAP ? cdf_tole8(x) : (uint64_t)(x)) +-#define CDF_TOLE4(x) (NEED_SWAP ? cdf_tole4(x) : (uint32_t)(x)) +-#define CDF_TOLE2(x) (NEED_SWAP ? cdf_tole2(x) : (uint16_t)(x)) ++#define CDF_TOLE8(x) ((uint64_t)(NEED_SWAP ? _cdf_tole8(x) : (uint64_t)(x))) ++#define CDF_TOLE4(x) ((uint32_t)(NEED_SWAP ? _cdf_tole4(x) : (uint32_t)(x))) ++#define CDF_TOLE2(x) ((uint16_t)(NEED_SWAP ? _cdf_tole2(x) : (uint16_t)(x))) ++#define CDF_GETUINT32(x, y) cdf_getuint32(x, y) + ++ + /* + * swap a short + */ +-uint16_t +-cdf_tole2(uint16_t sv) ++static uint16_t ++_cdf_tole2(uint16_t sv) + { + uint16_t rv; +- uint8_t *s = (uint8_t *)(void *)&sv; +- uint8_t *d = (uint8_t *)(void *)&rv; ++ uint8_t *s = (uint8_t *)(void *)&sv; ++ uint8_t *d = (uint8_t *)(void *)&rv; + d[0] = s[1]; + d[1] = s[0]; + return rv; +@@ -89,12 +93,12 @@ static union { + /* + * swap an int + */ +-uint32_t +-cdf_tole4(uint32_t sv) ++static uint32_t ++_cdf_tole4(uint32_t sv) + { + uint32_t rv; +- uint8_t *s = (uint8_t *)(void *)&sv; +- uint8_t *d = (uint8_t *)(void *)&rv; ++ uint8_t *s = (uint8_t *)(void *)&sv; ++ uint8_t *d = (uint8_t *)(void *)&rv; + d[0] = s[3]; + d[1] = s[2]; + d[2] = s[1]; +@@ -105,12 +109,12 @@ static union { + /* + * swap a quad + */ +-uint64_t +-cdf_tole8(uint64_t sv) ++static uint64_t ++_cdf_tole8(uint64_t sv) + { + uint64_t rv; +- uint8_t *s = (uint8_t *)(void *)&sv; +- uint8_t *d = (uint8_t *)(void *)&rv; ++ uint8_t *s = (uint8_t *)(void *)&sv; ++ uint8_t *d = (uint8_t *)(void *)&rv; + d[0] = s[7]; + d[1] = s[6]; + d[2] = s[5]; +@@ -122,11 +126,41 @@ static union { + return rv; + } + ++/* ++ * grab a uint32_t from a possibly unaligned address, and return it in ++ * the native host order. ++ */ ++static uint32_t ++cdf_getuint32(const uint8_t *p, size_t offs) ++{ ++ uint32_t rv; ++ (void)memcpy(&rv, p + offs * sizeof(uint32_t), sizeof(rv)); ++ return CDF_TOLE4(rv); ++} ++ + #define CDF_UNPACK(a) \ + (void)memcpy(&(a), &buf[len], sizeof(a)), len += sizeof(a) + #define CDF_UNPACKA(a) \ + (void)memcpy((a), &buf[len], sizeof(a)), len += sizeof(a) + ++uint16_t ++cdf_tole2(uint16_t sv) ++{ ++ return CDF_TOLE2(sv); ++} ++ ++uint32_t ++cdf_tole4(uint32_t sv) ++{ ++ return CDF_TOLE4(sv); ++} ++ ++uint64_t ++cdf_tole8(uint64_t sv) ++{ ++ return CDF_TOLE8(sv); ++} ++ + void + cdf_swap_header(cdf_header_t *h) + { +@@ -145,15 +179,15 @@ cdf_swap_header(cdf_header_t *h) + h->h_min_size_standard_stream = + CDF_TOLE4(h->h_min_size_standard_stream); + h->h_secid_first_sector_in_short_sat = +- CDF_TOLE4(h->h_secid_first_sector_in_short_sat); ++ CDF_TOLE4((uint32_t)h->h_secid_first_sector_in_short_sat); + h->h_num_sectors_in_short_sat = + CDF_TOLE4(h->h_num_sectors_in_short_sat); + h->h_secid_first_sector_in_master_sat = +- CDF_TOLE4(h->h_secid_first_sector_in_master_sat); ++ CDF_TOLE4((uint32_t)h->h_secid_first_sector_in_master_sat); + h->h_num_sectors_in_master_sat = + CDF_TOLE4(h->h_num_sectors_in_master_sat); + for (i = 0; i < __arraycount(h->h_master_sat); i++) +- h->h_master_sat[i] = CDF_TOLE4(h->h_master_sat[i]); ++ h->h_master_sat[i] = CDF_TOLE4((uint32_t)h->h_master_sat[i]); + } + + void +@@ -186,15 +220,15 @@ void + cdf_swap_dir(cdf_directory_t *d) + { + d->d_namelen = CDF_TOLE2(d->d_namelen); +- d->d_left_child = CDF_TOLE4(d->d_left_child); +- d->d_right_child = CDF_TOLE4(d->d_right_child); +- d->d_storage = CDF_TOLE4(d->d_storage); ++ d->d_left_child = CDF_TOLE4((uint32_t)d->d_left_child); ++ d->d_right_child = CDF_TOLE4((uint32_t)d->d_right_child); ++ d->d_storage = CDF_TOLE4((uint32_t)d->d_storage); + d->d_storage_uuid[0] = CDF_TOLE8(d->d_storage_uuid[0]); + d->d_storage_uuid[1] = CDF_TOLE8(d->d_storage_uuid[1]); + d->d_flags = CDF_TOLE4(d->d_flags); +- d->d_created = CDF_TOLE8(d->d_created); +- d->d_modified = CDF_TOLE8(d->d_modified); +- d->d_stream_first_sector = CDF_TOLE4(d->d_stream_first_sector); ++ d->d_created = CDF_TOLE8((uint64_t)d->d_created); ++ d->d_modified = CDF_TOLE8((uint64_t)d->d_modified); ++ d->d_stream_first_sector = CDF_TOLE4((uint32_t)d->d_stream_first_sector); + d->d_size = CDF_TOLE4(d->d_size); + } + +@@ -228,14 +262,18 @@ cdf_unpack_dir(cdf_directory_t *d, char *buf) + } + + static int +-cdf_check_stream_offset(const cdf_stream_t *sst, const void *p, size_t tail) ++cdf_check_stream_offset(const cdf_stream_t *sst, const cdf_header_t *h, ++ const void *p, size_t tail, int line) + { + const char *b = (const char *)sst->sst_tab; + const char *e = ((const char *)p) + tail; +- if (e >= b && (size_t)(e - b) < sst->sst_dirlen * sst->sst_len) ++ (void)&line; ++ if (e >= b && (size_t)(e - b) < CDF_SEC_SIZE(h) * sst->sst_len) + return 0; +- DPRINTF((stderr, "offset begin %p end %p %zu >= %zu\n", b, e, +- (size_t)(e - b), sst->sst_dirlen * sst->sst_len)); ++ DPRINTF(("%d: offset begin %p end %p %" SIZE_T_FORMAT "u" ++ " >= %" SIZE_T_FORMAT "u [%" SIZE_T_FORMAT "u %" ++ SIZE_T_FORMAT "u]\n", line, b, e, (size_t)(e - b), ++ CDF_SEC_SIZE(h) * sst->sst_len, CDF_SEC_SIZE(h), sst->sst_len)); + errno = EFTYPE; + return -1; + } +@@ -278,7 +316,8 @@ cdf_read_header(const cdf_info_t *info, cdf_header + cdf_unpack_header(h, buf); + cdf_swap_header(h); + if (h->h_magic != CDF_MAGIC) { +- DPRINTF(("Bad magic 0x%llx != 0x%llx\n", ++ DPRINTF(("Bad magic 0x%" INT64_T_FORMAT "x != 0x%" ++ INT64_T_FORMAT "x\n", + (unsigned long long)h->h_magic, + (unsigned long long)CDF_MAGIC)); + goto out; +@@ -303,9 +342,10 @@ ssize_t + cdf_read_sector(const cdf_info_t *info, void *buf, size_t offs, size_t len, + const cdf_header_t *h, cdf_secid_t id) + { +- assert((size_t)CDF_SEC_SIZE(h) == len); +- return cdf_read(info, (off_t)CDF_SEC_POS(h, id), +- ((char *)buf) + offs, len); ++ size_t ss = CDF_SEC_SIZE(h); ++ size_t pos = CDF_SEC_POS(h, id); ++ assert(ss == len); ++ return cdf_read(info, (off_t)pos, ((char *)buf) + offs, len); + } + + ssize_t +@@ -312,9 +352,17 @@ ssize_t + cdf_read_short_sector(const cdf_stream_t *sst, void *buf, size_t offs, + size_t len, const cdf_header_t *h, cdf_secid_t id) + { +- assert((size_t)CDF_SHORT_SEC_SIZE(h) == len); ++ size_t ss = CDF_SHORT_SEC_SIZE(h); ++ size_t pos = CDF_SHORT_SEC_POS(h, id); ++ assert(ss == len); ++ if (pos > CDF_SEC_SIZE(h) * sst->sst_len) { ++ DPRINTF(("Out of bounds read %" SIZE_T_FORMAT "u > %" ++ SIZE_T_FORMAT "u\n", ++ pos, CDF_SEC_SIZE(h) * sst->sst_len)); ++ return -1; ++ } + (void)memcpy(((char *)buf) + offs, +- ((const char *)sst->sst_tab) + CDF_SHORT_SEC_POS(h, id), len); ++ ((const char *)sst->sst_tab) + pos, len); + return len; + } + +@@ -334,17 +382,20 @@ cdf_read_sat(const cdf_info_t *info, cdf_header_t + break; + + #define CDF_SEC_LIMIT (UINT32_MAX / (4 * ss)) +- if (h->h_num_sectors_in_master_sat > CDF_SEC_LIMIT / nsatpersec || ++ if ((nsatpersec > 0 && ++ h->h_num_sectors_in_master_sat > CDF_SEC_LIMIT / nsatpersec) || + i > CDF_SEC_LIMIT) { +- DPRINTF(("Number of sectors in master SAT too big %u %zu\n", +- h->h_num_sectors_in_master_sat, i)); ++ DPRINTF(("Number of sectors in master SAT too big %u %" ++ SIZE_T_FORMAT "u\n", h->h_num_sectors_in_master_sat, i)); + errno = EFTYPE; + return -1; + } + + sat->sat_len = h->h_num_sectors_in_master_sat * nsatpersec + i; +- DPRINTF(("sat_len = %zu ss = %zu\n", sat->sat_len, ss)); +- if ((sat->sat_tab = calloc(sat->sat_len, ss)) == NULL) ++ DPRINTF(("sat_len = %" SIZE_T_FORMAT "u ss = %" SIZE_T_FORMAT "u\n", ++ sat->sat_len, ss)); ++ if ((sat->sat_tab = CAST(cdf_secid_t *, calloc(sat->sat_len, ss))) ++ == NULL) + return -1; + + for (i = 0; i < __arraycount(h->h_master_sat); i++) { +@@ -357,7 +408,7 @@ cdf_read_sat(const cdf_info_t *info, cdf_header_t + } + } + +- if ((msa = calloc(1, ss)) == NULL) ++ if ((msa = CAST(cdf_secid_t *, calloc(1, ss))) == NULL) + goto out1; + + mid = h->h_secid_first_sector_in_master_sat; +@@ -374,12 +425,12 @@ cdf_read_sat(const cdf_info_t *info, cdf_header_t + goto out2; + } + for (k = 0; k < nsatpersec; k++, i++) { +- sec = CDF_TOLE4(msa[k]); ++ sec = CDF_TOLE4((uint32_t)msa[k]); + if (sec < 0) + goto out; + if (i >= sat->sat_len) { +- DPRINTF(("Out of bounds reading MSA %u >= %u", +- i, sat->sat_len)); ++ DPRINTF(("Out of bounds reading MSA %" SIZE_T_FORMAT ++ "u >= %" SIZE_T_FORMAT "u", i, sat->sat_len)); + errno = EFTYPE; + goto out2; + } +@@ -390,7 +441,7 @@ cdf_read_sat(const cdf_info_t *info, cdf_header_t + goto out2; + } + } +- mid = CDF_TOLE4(msa[nsatpersec]); ++ mid = CDF_TOLE4((uint32_t)msa[nsatpersec]); + } + out: + sat->sat_len = i; +@@ -422,7 +473,7 @@ cdf_count_chain(const cdf_sat_t *sat, cdf_secid_t + errno = EFTYPE; + return (size_t)-1; + } +- sid = CDF_TOLE4(sat->sat_tab[sid]); ++ sid = CDF_TOLE4((uint32_t)sat->sat_tab[sid]); + } + DPRINTF(("\n")); + return i; +@@ -452,7 +503,8 @@ cdf_read_long_sector_chain(const cdf_info_t *info, + } + if (i >= scn->sst_len) { + DPRINTF(("Out of bounds reading long sector chain " +- "%u > %u\n", i, scn->sst_len)); ++ "%" SIZE_T_FORMAT "u > %" SIZE_T_FORMAT "u\n", i, ++ scn->sst_len)); + errno = EFTYPE; + goto out; + } +@@ -465,7 +517,7 @@ cdf_read_long_sector_chain(const cdf_info_t *info, + DPRINTF(("Reading long sector chain %d", sid)); + goto out; + } +- sid = CDF_TOLE4(sat->sat_tab[sid]); ++ sid = CDF_TOLE4((uint32_t)sat->sat_tab[sid]); + } + return 0; + out: +@@ -497,7 +549,8 @@ cdf_read_short_sector_chain(const cdf_header_t *h, + } + if (i >= scn->sst_len) { + DPRINTF(("Out of bounds reading short sector chain " +- "%u > %u\n", i, scn->sst_len)); ++ "%" SIZE_T_FORMAT "u > %" SIZE_T_FORMAT "u\n", ++ i, scn->sst_len)); + errno = EFTYPE; + goto out; + } +@@ -506,7 +559,7 @@ cdf_read_short_sector_chain(const cdf_header_t *h, + DPRINTF(("Reading short sector chain %d", sid)); + goto out; + } +- sid = CDF_TOLE4(ssat->sat_tab[sid]); ++ sid = CDF_TOLE4((uint32_t)ssat->sat_tab[sid]); + } + return 0; + out: +@@ -520,7 +573,7 @@ cdf_read_sector_chain(const cdf_info_t *info, cons + cdf_secid_t sid, size_t len, cdf_stream_t *scn) + { + +- if (len < h->h_min_size_standard_stream) ++ if (len < h->h_min_size_standard_stream && sst->sst_tab != NULL) + return cdf_read_short_sector_chain(h, ssat, sst, sid, len, + scn); + else +@@ -543,11 +596,12 @@ cdf_read_dir(const cdf_info_t *info, const cdf_hea + nd = ss / CDF_DIRECTORY_SIZE; + + dir->dir_len = ns * nd; +- dir->dir_tab = calloc(dir->dir_len, sizeof(dir->dir_tab[0])); ++ dir->dir_tab = CAST(cdf_directory_t *, ++ calloc(dir->dir_len, sizeof(dir->dir_tab[0]))); + if (dir->dir_tab == NULL) + return -1; + +- if ((buf = malloc(ss)) == NULL) { ++ if ((buf = CAST(char *, malloc(ss))) == NULL) { + free(dir->dir_tab); + return -1; + } +@@ -566,7 +620,7 @@ cdf_read_dir(const cdf_info_t *info, const cdf_hea + cdf_unpack_dir(&dir->dir_tab[i * nd + j], + &buf[j * CDF_DIRECTORY_SIZE]); + } +- sid = CDF_TOLE4(sat->sat_tab[sid]); ++ sid = CDF_TOLE4((uint32_t)sat->sat_tab[sid]); + } + if (NEED_SWAP) + for (i = 0; i < dir->dir_len; i++) +@@ -592,7 +646,7 @@ cdf_read_ssat(const cdf_info_t *info, const cdf_he + if (ssat->sat_len == (size_t)-1) + return -1; + +- ssat->sat_tab = calloc(ssat->sat_len, ss); ++ ssat->sat_tab = CAST(cdf_secid_t *, calloc(ssat->sat_len, ss)); + if (ssat->sat_tab == NULL) + return -1; + +@@ -604,7 +658,8 @@ cdf_read_ssat(const cdf_info_t *info, const cdf_he + } + if (i >= ssat->sat_len) { + DPRINTF(("Out of bounds reading short sector chain " +- "%u > %u\n", i, ssat->sat_len)); ++ "%" SIZE_T_FORMAT "u > %" SIZE_T_FORMAT "u\n", i, ++ ssat->sat_len)); + errno = EFTYPE; + goto out; + } +@@ -613,7 +668,7 @@ cdf_read_ssat(const cdf_info_t *info, const cdf_he + DPRINTF(("Reading short sat sector %d", sid)); + goto out; + } +- sid = CDF_TOLE4(sat->sat_tab[sid]); ++ sid = CDF_TOLE4((uint32_t)sat->sat_tab[sid]); + } + return 0; + out: +@@ -641,7 +696,7 @@ cdf_read_short_stream(const cdf_info_t *info, cons + if (d->d_stream_first_sector < 0) + goto out; + +- return cdf_read_long_sector_chain(info, h, sat, ++ return cdf_read_long_sector_chain(info, h, sat, + d->d_stream_first_sector, d->d_size, scn); + out: + scn->sst_tab = NULL; +@@ -668,29 +723,29 @@ cdf_read_summary_info(const cdf_info_t *info, cons + const cdf_directory_t *d; + static const char name[] = "\05SummaryInformation"; + +- for (i = 0; i < dir->dir_len; i++) +- if (dir->dir_tab[i].d_type == CDF_DIR_TYPE_USER_STREAM && +- cdf_namecmp(name, dir->dir_tab[i].d_name, sizeof(name)) ++ for (i = dir->dir_len; i > 0; i--) ++ if (dir->dir_tab[i - 1].d_type == CDF_DIR_TYPE_USER_STREAM && ++ cdf_namecmp(name, dir->dir_tab[i - 1].d_name, sizeof(name)) + == 0) + break; + +- if (i == dir->dir_len) { ++ if (i == 0) { + DPRINTF(("Cannot find summary information section\n")); +- errno = EFTYPE; ++ errno = ESRCH; + return -1; + } +- d = &dir->dir_tab[i]; ++ d = &dir->dir_tab[i - 1]; + return cdf_read_sector_chain(info, h, sat, ssat, sst, + d->d_stream_first_sector, d->d_size, scn); + } + + int +-cdf_read_property_info(const cdf_stream_t *sst, uint32_t offs, +- cdf_property_info_t **info, size_t *count, size_t *maxcount) ++cdf_read_property_info(const cdf_stream_t *sst, const cdf_header_t *h, ++ uint32_t offs, cdf_property_info_t **info, size_t *count, size_t *maxcount) + { + const cdf_section_header_t *shp; + cdf_section_header_t sh; +- const uint32_t *p, *q, *e; ++ const uint8_t *p, *q, *e; + int16_t s16; + int32_t s32; + uint32_t u32; +@@ -697,7 +752,7 @@ int + int64_t s64; + uint64_t u64; + cdf_timestamp_t tp; +- size_t i, o, nelements, j; ++ size_t i, o, o4, nelements, j; + cdf_property_info_t *inp; + + if (offs > UINT32_MAX / 4) { +@@ -704,8 +759,9 @@ int + errno = EFTYPE; + goto out; + } +- shp = (const void *)((const char *)sst->sst_tab + offs); +- if (cdf_check_stream_offset(sst, shp, sizeof(*shp)) == -1) ++ shp = CAST(const cdf_section_header_t *, (const void *) ++ ((const char *)sst->sst_tab + offs)); ++ if (cdf_check_stream_offset(sst, h, shp, sizeof(*shp), __LINE__) == -1) + goto out; + sh.sh_len = CDF_TOLE4(shp->sh_len); + #define CDF_SHLEN_LIMIT (UINT32_MAX / 8) +@@ -723,10 +779,12 @@ int + if (*maxcount > CDF_PROP_LIMIT) + goto out; + *maxcount += sh.sh_properties; +- inp = realloc(*info, *maxcount * sizeof(*inp)); ++ inp = CAST(cdf_property_info_t *, ++ realloc(*info, *maxcount * sizeof(*inp))); + } else { + *maxcount = sh.sh_properties; +- inp = malloc(*maxcount * sizeof(*inp)); ++ inp = CAST(cdf_property_info_t *, ++ malloc(*maxcount * sizeof(*inp))); + } + if (inp == NULL) + goto out; +@@ -733,65 +791,87 @@ int + *info = inp; + inp += *count; + *count += sh.sh_properties; +- p = (const void *)((const char *)sst->sst_tab + offs + sizeof(sh)); +- e = (const void *)(((const char *)shp) + sh.sh_len); +- if (cdf_check_stream_offset(sst, e, 0) == -1) ++ p = CAST(const uint8_t *, (const void *) ++ ((const char *)(const void *)sst->sst_tab + ++ offs + sizeof(sh))); ++ e = CAST(const uint8_t *, (const void *) ++ (((const char *)(const void *)shp) + sh.sh_len)); ++ if (cdf_check_stream_offset(sst, h, e, 0, __LINE__) == -1) + goto out; + for (i = 0; i < sh.sh_properties; i++) { +- q = (const uint32_t *)((const char *)p + +- CDF_TOLE4(p[(i << 1) + 1])) - 2; ++ size_t ofs = CDF_GETUINT32(p, (i << 1) + 1); ++ q = (const uint8_t *)(const void *) ++ ((const char *)(const void *)p + ofs ++ - 2 * sizeof(uint32_t)); + if (q > e) { + DPRINTF(("Ran of the end %p > %p\n", q, e)); + goto out; + } +- inp[i].pi_id = CDF_TOLE4(p[i << 1]); +- inp[i].pi_type = CDF_TOLE4(q[0]); +- DPRINTF(("%d) id=%x type=%x offs=%x\n", i, inp[i].pi_id, +- inp[i].pi_type, (const char *)q - (const char *)p)); ++ inp[i].pi_id = CDF_GETUINT32(p, i << 1); ++ inp[i].pi_type = CDF_GETUINT32(q, 0); ++ DPRINTF(("%" SIZE_T_FORMAT "u) id=%x type=%x offs=0x%tx,0x%x\n", ++ i, inp[i].pi_id, inp[i].pi_type, q - p, offs)); + if (inp[i].pi_type & CDF_VECTOR) { +- nelements = CDF_TOLE4(q[1]); ++ nelements = CDF_GETUINT32(q, 1); + o = 2; + } else { + nelements = 1; + o = 1; + } ++ o4 = o * sizeof(uint32_t); + if (inp[i].pi_type & (CDF_ARRAY|CDF_BYREF|CDF_RESERVED)) + goto unknown; + switch (inp[i].pi_type & CDF_TYPEMASK) { ++ case CDF_NULL: + case CDF_EMPTY: + break; + case CDF_SIGNED16: + if (inp[i].pi_type & CDF_VECTOR) + goto unknown; +- (void)memcpy(&s16, &q[o], sizeof(s16)); ++ (void)memcpy(&s16, &q[o4], sizeof(s16)); + inp[i].pi_s16 = CDF_TOLE2(s16); + break; + case CDF_SIGNED32: + if (inp[i].pi_type & CDF_VECTOR) + goto unknown; +- (void)memcpy(&s32, &q[o], sizeof(s32)); +- inp[i].pi_s32 = CDF_TOLE4(s32); ++ (void)memcpy(&s32, &q[o4], sizeof(s32)); ++ inp[i].pi_s32 = CDF_TOLE4((uint32_t)s32); + break; + case CDF_BOOL: + case CDF_UNSIGNED32: + if (inp[i].pi_type & CDF_VECTOR) + goto unknown; +- (void)memcpy(&u32, &q[o], sizeof(u32)); ++ (void)memcpy(&u32, &q[o4], sizeof(u32)); + inp[i].pi_u32 = CDF_TOLE4(u32); + break; + case CDF_SIGNED64: + if (inp[i].pi_type & CDF_VECTOR) + goto unknown; +- (void)memcpy(&s64, &q[o], sizeof(s64)); +- inp[i].pi_s64 = CDF_TOLE4(s64); ++ (void)memcpy(&s64, &q[o4], sizeof(s64)); ++ inp[i].pi_s64 = CDF_TOLE8((uint64_t)s64); + break; + case CDF_UNSIGNED64: + if (inp[i].pi_type & CDF_VECTOR) + goto unknown; +- (void)memcpy(&u64, &q[o], sizeof(u64)); +- inp[i].pi_u64 = CDF_TOLE4(u64); ++ (void)memcpy(&u64, &q[o4], sizeof(u64)); ++ inp[i].pi_u64 = CDF_TOLE8((uint64_t)u64); + break; ++ case CDF_FLOAT: ++ if (inp[i].pi_type & CDF_VECTOR) ++ goto unknown; ++ (void)memcpy(&u32, &q[o4], sizeof(u32)); ++ u32 = CDF_TOLE4(u32); ++ memcpy(&inp[i].pi_f, &u32, sizeof(inp[i].pi_f)); ++ break; ++ case CDF_DOUBLE: ++ if (inp[i].pi_type & CDF_VECTOR) ++ goto unknown; ++ (void)memcpy(&u64, &q[o4], sizeof(u64)); ++ u64 = CDF_TOLE8((uint64_t)u64); ++ memcpy(&inp[i].pi_d, &u64, sizeof(inp[i].pi_d)); ++ break; + case CDF_LENGTH32_STRING: ++ case CDF_LENGTH32_WSTRING: + if (nelements > 1) { + size_t nelem = inp - *info; + if (*maxcount > CDF_PROP_LIMIT +@@ -798,22 +878,30 @@ int + || nelements > CDF_PROP_LIMIT) + goto out; + *maxcount += nelements; +- inp = realloc(*info, *maxcount * sizeof(*inp)); ++ inp = CAST(cdf_property_info_t *, ++ realloc(*info, *maxcount * sizeof(*inp))); + if (inp == NULL) + goto out; + *info = inp; + inp = *info + nelem; + } +- DPRINTF(("nelements = %d\n", nelements)); ++ DPRINTF(("nelements = %" SIZE_T_FORMAT "u\n", ++ nelements)); + for (j = 0; j < nelements; j++, i++) { +- uint32_t l = CDF_TOLE4(q[o]); ++ uint32_t l = CDF_GETUINT32(q, o); + inp[i].pi_str.s_len = l; +- inp[i].pi_str.s_buf = (const char *)(&q[o+1]); +- DPRINTF(("l = %d, r = %d, s = %s\n", l, ++ inp[i].pi_str.s_buf = (const char *) ++ (const void *)(&q[o4 + sizeof(l)]); ++ DPRINTF(("l = %d, r = %" SIZE_T_FORMAT ++ "u, s = %s\n", l, + CDF_ROUND(l, sizeof(l)), + inp[i].pi_str.s_buf)); +- l = 4 + CDF_ROUND(l, sizeof(l)); +- o += l >> 2; ++ if (l & 1) ++ l++; ++ o += l >> 1; ++ if (q + o >= e) ++ goto out; ++ o4 = o * sizeof(uint32_t); + } + i--; + break; +@@ -820,8 +908,8 @@ int + case CDF_FILETIME: + if (inp[i].pi_type & CDF_VECTOR) + goto unknown; +- (void)memcpy(&tp, &q[o], sizeof(tp)); +- inp[i].pi_tp = CDF_TOLE8(tp); ++ (void)memcpy(&tp, &q[o4], sizeof(tp)); ++ inp[i].pi_tp = CDF_TOLE8((uint64_t)tp); + break; + case CDF_CLIPBOARD: + if (inp[i].pi_type & CDF_VECTOR) +@@ -831,7 +919,7 @@ int + unknown: + DPRINTF(("Don't know how to deal with %x\n", + inp[i].pi_type)); +- goto out; ++ break; + } + } + return 0; +@@ -841,16 +929,18 @@ out: + } + + int +-cdf_unpack_summary_info(const cdf_stream_t *sst, cdf_summary_info_header_t *ssi, +- cdf_property_info_t **info, size_t *count) ++cdf_unpack_summary_info(const cdf_stream_t *sst, const cdf_header_t *h, ++ cdf_summary_info_header_t *ssi, cdf_property_info_t **info, size_t *count) + { + size_t i, maxcount; +- const cdf_summary_info_header_t *si = sst->sst_tab; +- const cdf_section_declaration_t *sd = (const void *) +- ((const char *)sst->sst_tab + CDF_SECTION_DECLARATION_OFFSET); ++ const cdf_summary_info_header_t *si = ++ CAST(const cdf_summary_info_header_t *, sst->sst_tab); ++ const cdf_section_declaration_t *sd = ++ CAST(const cdf_section_declaration_t *, (const void *) ++ ((const char *)sst->sst_tab + CDF_SECTION_DECLARATION_OFFSET)); + +- if (cdf_check_stream_offset(sst, si, sizeof(*si)) == -1 || +- cdf_check_stream_offset(sst, sd, sizeof(*sd)) == -1) ++ if (cdf_check_stream_offset(sst, h, si, sizeof(*si), __LINE__) == -1 || ++ cdf_check_stream_offset(sst, h, sd, sizeof(*sd), __LINE__) == -1) + return -1; + ssi->si_byte_order = CDF_TOLE2(si->si_byte_order); + ssi->si_os_version = CDF_TOLE2(si->si_os_version); +@@ -867,9 +957,10 @@ int + errno = EFTYPE; + return -1; + } +- if (cdf_read_property_info(sst, CDF_TOLE4(sd->sd_offset), +- info, count, &maxcount) == -1) ++ if (cdf_read_property_info(sst, h, CDF_TOLE4(sd->sd_offset), ++ info, count, &maxcount) == -1) { + return -1; ++ } + } + return 0; + } +@@ -926,32 +1017,32 @@ cdf_print_property_name(char *buf, size_t bufsiz, + int + cdf_print_elapsed_time(char *buf, size_t bufsiz, cdf_timestamp_t ts) + { +- size_t len = 0; ++ int len = 0; + int days, hours, mins, secs; + + ts /= CDF_TIME_PREC; +- secs = ts % 60; ++ secs = (int)(ts % 60); + ts /= 60; +- mins = ts % 60; ++ mins = (int)(ts % 60); + ts /= 60; +- hours = ts % 24; ++ hours = (int)(ts % 24); + ts /= 24; +- days = ts; ++ days = (int)ts; + + if (days) { + len += snprintf(buf + len, bufsiz - len, "%dd+", days); +- if (len >= bufsiz) ++ if ((size_t)len >= bufsiz) + return len; + } + + if (days || hours) { + len += snprintf(buf + len, bufsiz - len, "%.2d:", hours); +- if (len >= bufsiz) ++ if ((size_t)len >= bufsiz) + return len; + } + + len += snprintf(buf + len, bufsiz - len, "%.2d:", mins); +- if (len >= bufsiz) ++ if ((size_t)len >= bufsiz) + return len; + + len += snprintf(buf + len, bufsiz - len, "%.2d", secs); +@@ -994,13 +1085,14 @@ cdf_dump_sat(const char *prefix, const cdf_sat_t * + size_t i, j, s = size / sizeof(cdf_secid_t); + + for (i = 0; i < sat->sat_len; i++) { +- (void)fprintf(stderr, "%s[%zu]:\n%.6d: ", prefix, i, i * s); ++ (void)fprintf(stderr, "%s[%" SIZE_T_FORMAT "u]:\n%.6" ++ SIZE_T_FORMAT "u: ", prefix, i, i * s); + for (j = 0; j < s; j++) { + (void)fprintf(stderr, "%5d, ", + CDF_TOLE4(sat->sat_tab[s * i + j])); + if ((j + 1) % 10 == 0) +- (void)fprintf(stderr, "\n%.6d: ", +- i * s + j + 1); ++ (void)fprintf(stderr, "\n%.6" SIZE_T_FORMAT ++ "u: ", i * s + j + 1); + } + (void)fprintf(stderr, "\n"); + } +@@ -1019,7 +1111,8 @@ cdf_dump(void *v, size_t len) + if (j == 16) { + j = 0; + abuf[15] = '\0'; +- (void)fprintf(stderr, "%s\n%.4x: ", abuf, i + 1); ++ (void)fprintf(stderr, "%s\n%.4" SIZE_T_FORMAT "x: ", ++ abuf, i + 1); + } + } + (void)fprintf(stderr, "\n"); +@@ -1051,7 +1144,8 @@ cdf_dump_dir(const cdf_info_t *info, const cdf_hea + d = &dir->dir_tab[i]; + for (j = 0; j < sizeof(name); j++) + name[j] = (char)CDF_TOLE2(d->d_name[j]); +- (void)fprintf(stderr, "Directory %zu: %s\n", i, name); ++ (void)fprintf(stderr, "Directory %" SIZE_T_FORMAT "u: %s\n", ++ i, name); + if (d->d_type < __arraycount(types)) + (void)fprintf(stderr, "Type: %s\n", types[d->d_type]); + else +@@ -1062,9 +1156,9 @@ cdf_dump_dir(const cdf_info_t *info, const cdf_hea + (void)fprintf(stderr, "Right child: %d\n", d->d_right_child); + (void)fprintf(stderr, "Flags: 0x%x\n", d->d_flags); + cdf_timestamp_to_timespec(&ts, d->d_created); +- (void)fprintf(stderr, "Created %s", ctime(&ts.tv_sec)); ++ (void)fprintf(stderr, "Created %s", cdf_ctime(&ts.tv_sec)); + cdf_timestamp_to_timespec(&ts, d->d_modified); +- (void)fprintf(stderr, "Modified %s", ctime(&ts.tv_sec)); ++ (void)fprintf(stderr, "Modified %s", cdf_ctime(&ts.tv_sec)); + (void)fprintf(stderr, "Stream %d\n", d->d_stream_first_sector); + (void)fprintf(stderr, "Size %d\n", d->d_size); + switch (d->d_type) { +@@ -1086,7 +1180,7 @@ cdf_dump_dir(const cdf_info_t *info, const cdf_hea + default: + break; + } +- ++ + } + } + +@@ -1096,12 +1190,14 @@ cdf_dump_property_info(const cdf_property_info_t * + cdf_timestamp_t tp; + struct timespec ts; + char buf[64]; +- size_t i; ++ size_t i, j; + + for (i = 0; i < count; i++) { + cdf_print_property_name(buf, sizeof(buf), info[i].pi_id); +- (void)fprintf(stderr, "%zu) %s: ", i, buf); ++ (void)fprintf(stderr, "%" SIZE_T_FORMAT "u) %s: ", i, buf); + switch (info[i].pi_type) { ++ case CDF_NULL: ++ break; + case CDF_SIGNED16: + (void)fprintf(stderr, "signed 16 [%hd]\n", + info[i].pi_s16); +@@ -1114,11 +1210,26 @@ cdf_dump_property_info(const cdf_property_info_t * + (void)fprintf(stderr, "unsigned 32 [%u]\n", + info[i].pi_u32); + break; ++ case CDF_FLOAT: ++ (void)fprintf(stderr, "float [%g]\n", ++ info[i].pi_f); ++ break; ++ case CDF_DOUBLE: ++ (void)fprintf(stderr, "double [%g]\n", ++ info[i].pi_d); ++ break; + case CDF_LENGTH32_STRING: + (void)fprintf(stderr, "string %u [%.*s]\n", + info[i].pi_str.s_len, + info[i].pi_str.s_len, info[i].pi_str.s_buf); + break; ++ case CDF_LENGTH32_WSTRING: ++ (void)fprintf(stderr, "string %u [", ++ info[i].pi_str.s_len); ++ for (j = 0; j < info[i].pi_str.s_len - 1; j++) ++ (void)fputc(info[i].pi_str.s_buf[j << 1], stderr); ++ (void)fprintf(stderr, "]\n"); ++ break; + case CDF_FILETIME: + tp = info[i].pi_tp; + if (tp < 1000000000000000LL) { +@@ -1127,7 +1238,7 @@ cdf_dump_property_info(const cdf_property_info_t * + } else { + cdf_timestamp_to_timespec(&ts, tp); + (void)fprintf(stderr, "timestamp %s", +- ctime(&ts.tv_sec)); ++ cdf_ctime(&ts.tv_sec)); + } + break; + case CDF_CLIPBOARD: +@@ -1151,7 +1262,7 @@ cdf_dump_summary_info(const cdf_header_t *h, const + size_t count; + + (void)&h; +- if (cdf_unpack_summary_info(sst, &ssi, &info, &count) == -1) ++ if (cdf_unpack_summary_info(sst, h, &ssi, &info, &count) == -1) + return; + (void)fprintf(stderr, "Endian: %x\n", ssi.si_byte_order); + (void)fprintf(stderr, "Os Version %d.%d\n", ssi.si_os_version & 0xff, +@@ -1203,7 +1314,7 @@ main(int argc, char *argv[]) + if (cdf_read_ssat(&info, &h, &sat, &ssat) == -1) + err(1, "Cannot read ssat"); + #ifdef CDF_DEBUG +- cdf_dump_sat("SSAT", &h, &ssat, CDF_SHORT_SEC_SIZE(&h)); ++ cdf_dump_sat("SSAT", &ssat, CDF_SHORT_SEC_SIZE(&h)); + #endif + + if (cdf_read_dir(&info, &h, &sat, &dir) == -1) +Index: contrib/file/cdf.h +=================================================================== +--- contrib/file/cdf.h (revision 267806) ++++ contrib/file/cdf.h (working copy) +@@ -24,12 +24,27 @@ + * POSSIBILITY OF SUCH DAMAGE. + */ + /* +- * Info from: http://sc.openoffice.org/compdocfileformat.pdf ++ * Parse Composite Document Files, the format used in Microsoft Office ++ * document files before they switched to zipped XML. ++ * Info from: http://sc.openoffice.org/compdocfileformat.pdf ++ * ++ * N.B. This is the "Composite Document File" format, and not the ++ * "Compound Document Format", nor the "Channel Definition Format". + */ + + #ifndef _H_CDF_ + #define _H_CDF_ + ++#ifdef WIN32 ++#include ++#define timespec timeval ++#define tv_nsec tv_usec ++#endif ++#ifdef __DJGPP__ ++#define timespec timeval ++#define tv_nsec tv_usec ++#endif ++ + typedef int32_t cdf_secid_t; + + #define CDF_LOOP_LIMIT 10000 +@@ -36,8 +51,8 @@ typedef int32_t cdf_secid_t; + + #define CDF_SECID_NULL 0 + #define CDF_SECID_FREE -1 +-#define CDF_SECID_END_OF_CHAIN -2 +-#define CDF_SECID_SECTOR_ALLOCATION_TABLE -3 ++#define CDF_SECID_END_OF_CHAIN -2 ++#define CDF_SECID_SECTOR_ALLOCATION_TABLE -3 + #define CDF_SECID_MASTER_SECTOR_ALLOCATION_TABLE -4 + + typedef struct { +@@ -61,15 +76,15 @@ typedef struct { + cdf_secid_t h_master_sat[436/4]; + } cdf_header_t; + +-#define CDF_SEC_SIZE(h) (1 << (h)->h_sec_size_p2) ++#define CDF_SEC_SIZE(h) ((size_t)(1 << (h)->h_sec_size_p2)) + #define CDF_SEC_POS(h, secid) (CDF_SEC_SIZE(h) + (secid) * CDF_SEC_SIZE(h)) +-#define CDF_SHORT_SEC_SIZE(h) (1 << (h)->h_short_sec_size_p2) ++#define CDF_SHORT_SEC_SIZE(h) ((size_t)(1 << (h)->h_short_sec_size_p2)) + #define CDF_SHORT_SEC_POS(h, secid) ((secid) * CDF_SHORT_SEC_SIZE(h)) + +-typedef int32_t cdf_dirid_t; ++typedef int32_t cdf_dirid_t; + #define CDF_DIRID_NULL -1 + +-typedef int64_t cdf_timestamp_t; ++typedef int64_t cdf_timestamp_t; + #define CDF_BASE_YEAR 1601 + #define CDF_TIME_PREC 10000000 + +@@ -78,11 +93,11 @@ typedef struct { + uint16_t d_namelen; + uint8_t d_type; + #define CDF_DIR_TYPE_EMPTY 0 +-#define CDF_DIR_TYPE_USER_STORAGE 1 +-#define CDF_DIR_TYPE_USER_STREAM 2 +-#define CDF_DIR_TYPE_LOCKBYTES 3 +-#define CDF_DIR_TYPE_PROPERTY 4 +-#define CDF_DIR_TYPE_ROOT_STORAGE 5 ++#define CDF_DIR_TYPE_USER_STORAGE 1 ++#define CDF_DIR_TYPE_USER_STREAM 2 ++#define CDF_DIR_TYPE_LOCKBYTES 3 ++#define CDF_DIR_TYPE_PROPERTY 4 ++#define CDF_DIR_TYPE_ROOT_STORAGE 5 + uint8_t d_color; + #define CDF_DIR_COLOR_READ 0 + #define CDF_DIR_COLOR_BLACK 1 +@@ -91,8 +106,8 @@ typedef struct { *** DIFF OUTPUT TRUNCATED AT 1000 LINES *** From owner-svn-src-user@FreeBSD.ORG Tue Sep 2 14:26:26 2014 Return-Path: Delivered-To: svn-src-user@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 867E0719; Tue, 2 Sep 2014 14:26:26 +0000 (UTC) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:1900:2254:2068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 70E7E1DE7; Tue, 2 Sep 2014 14:26:26 +0000 (UTC) Received: from svn.freebsd.org ([127.0.1.70]) by svn.freebsd.org (8.14.9/8.14.9) with ESMTP id s82EQQYi062990; Tue, 2 Sep 2014 14:26:26 GMT (envelope-from delphij@FreeBSD.org) Received: (from delphij@localhost) by svn.freebsd.org (8.14.9/8.14.9/Submit) id s82EQQX8062988; Tue, 2 Sep 2014 14:26:26 GMT (envelope-from delphij@FreeBSD.org) Message-Id: <201409021426.s82EQQX8062988@svn.freebsd.org> X-Authentication-Warning: svn.freebsd.org: delphij set sender to delphij@FreeBSD.org using -f From: Xin LI Date: Tue, 2 Sep 2014 14:26:26 +0000 (UTC) To: src-committers@freebsd.org, svn-src-user@freebsd.org Subject: svn commit: r270967 - user/cperciva/freebsd-update-build/patches/8.4-RELEASE X-SVN-Group: user MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-user@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "SVN commit messages for the experimental " user" src tree" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 02 Sep 2014 14:26:26 -0000 Author: delphij Date: Tue Sep 2 14:26:25 2014 New Revision: 270967 URL: http://svnweb.freebsd.org/changeset/base/270967 Log: Rename files to reflect reality. Added: user/cperciva/freebsd-update-build/patches/8.4-RELEASE/14-EN-14:09.jail - copied unchanged from r270965, user/cperciva/freebsd-update-build/patches/8.4-RELEASE/13-EN-14:09.jail user/cperciva/freebsd-update-build/patches/8.4-RELEASE/14-SA-14:16.file - copied unchanged from r270966, user/cperciva/freebsd-update-build/patches/8.4-RELEASE/13-SA-14:16.file Deleted: user/cperciva/freebsd-update-build/patches/8.4-RELEASE/13-EN-14:09.jail user/cperciva/freebsd-update-build/patches/8.4-RELEASE/13-SA-14:16.file Copied: user/cperciva/freebsd-update-build/patches/8.4-RELEASE/14-EN-14:09.jail (from r270965, user/cperciva/freebsd-update-build/patches/8.4-RELEASE/13-EN-14:09.jail) ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ user/cperciva/freebsd-update-build/patches/8.4-RELEASE/14-EN-14:09.jail Tue Sep 2 14:26:25 2014 (r270967, copy of r270965, user/cperciva/freebsd-update-build/patches/8.4-RELEASE/13-EN-14:09.jail) @@ -0,0 +1,15 @@ +Index: etc/rc.d/jail +=================================================================== +--- etc/rc.d/jail (revision 268273) ++++ etc/rc.d/jail (working copy) +@@ -647,7 +647,9 @@ jail_start() + done + + eval ${_setfib} jail -n ${_jail} ${_flags} -i -c path=${_rootdir} host.hostname=${_hostname} \ +- ip4.addr=\"${_addrl}\" ip6.addr=\"${_addr6l}\" ${_parameters} command=${_exec_start} > ${_tmp_jail} 2>&1 ++ ${_addrl:+ip4.addr=\"${_addrl}\"} ${_addr6l:+ip6.addr=\"${_addr6l}\"} \ ++ ${_parameters} command=${_exec_start} > ${_tmp_jail} 2>&1 \ ++ +@@ -44,6 +47,9 @@ + #include + #include + #include ++#ifdef HAVE_LIMITS_H ++#include ++#endif + + #ifndef EFTYPE + #define EFTYPE EINVAL +@@ -51,10 +57,6 @@ + + #include "cdf.h" + +-#ifndef __arraycount +-#define __arraycount(a) (sizeof(a) / sizeof(a[0])) +-#endif +- + #ifdef CDF_DEBUG + #define DPRINTF(a) printf a, fflush(stdout) + #else +@@ -68,19 +70,21 @@ static union { + + #define NEED_SWAP (cdf_bo.u == (uint32_t)0x01020304) + +-#define CDF_TOLE8(x) (NEED_SWAP ? cdf_tole8(x) : (uint64_t)(x)) +-#define CDF_TOLE4(x) (NEED_SWAP ? cdf_tole4(x) : (uint32_t)(x)) +-#define CDF_TOLE2(x) (NEED_SWAP ? cdf_tole2(x) : (uint16_t)(x)) ++#define CDF_TOLE8(x) ((uint64_t)(NEED_SWAP ? _cdf_tole8(x) : (uint64_t)(x))) ++#define CDF_TOLE4(x) ((uint32_t)(NEED_SWAP ? _cdf_tole4(x) : (uint32_t)(x))) ++#define CDF_TOLE2(x) ((uint16_t)(NEED_SWAP ? _cdf_tole2(x) : (uint16_t)(x))) ++#define CDF_GETUINT32(x, y) cdf_getuint32(x, y) + ++ + /* + * swap a short + */ +-uint16_t +-cdf_tole2(uint16_t sv) ++static uint16_t ++_cdf_tole2(uint16_t sv) + { + uint16_t rv; +- uint8_t *s = (uint8_t *)(void *)&sv; +- uint8_t *d = (uint8_t *)(void *)&rv; ++ uint8_t *s = (uint8_t *)(void *)&sv; ++ uint8_t *d = (uint8_t *)(void *)&rv; + d[0] = s[1]; + d[1] = s[0]; + return rv; +@@ -89,12 +93,12 @@ static union { + /* + * swap an int + */ +-uint32_t +-cdf_tole4(uint32_t sv) ++static uint32_t ++_cdf_tole4(uint32_t sv) + { + uint32_t rv; +- uint8_t *s = (uint8_t *)(void *)&sv; +- uint8_t *d = (uint8_t *)(void *)&rv; ++ uint8_t *s = (uint8_t *)(void *)&sv; ++ uint8_t *d = (uint8_t *)(void *)&rv; + d[0] = s[3]; + d[1] = s[2]; + d[2] = s[1]; +@@ -105,12 +109,12 @@ static union { + /* + * swap a quad + */ +-uint64_t +-cdf_tole8(uint64_t sv) ++static uint64_t ++_cdf_tole8(uint64_t sv) + { + uint64_t rv; +- uint8_t *s = (uint8_t *)(void *)&sv; +- uint8_t *d = (uint8_t *)(void *)&rv; ++ uint8_t *s = (uint8_t *)(void *)&sv; ++ uint8_t *d = (uint8_t *)(void *)&rv; + d[0] = s[7]; + d[1] = s[6]; + d[2] = s[5]; +@@ -122,11 +126,41 @@ static union { + return rv; + } + ++/* ++ * grab a uint32_t from a possibly unaligned address, and return it in ++ * the native host order. ++ */ ++static uint32_t ++cdf_getuint32(const uint8_t *p, size_t offs) ++{ ++ uint32_t rv; ++ (void)memcpy(&rv, p + offs * sizeof(uint32_t), sizeof(rv)); ++ return CDF_TOLE4(rv); ++} ++ + #define CDF_UNPACK(a) \ + (void)memcpy(&(a), &buf[len], sizeof(a)), len += sizeof(a) + #define CDF_UNPACKA(a) \ + (void)memcpy((a), &buf[len], sizeof(a)), len += sizeof(a) + ++uint16_t ++cdf_tole2(uint16_t sv) ++{ ++ return CDF_TOLE2(sv); ++} ++ ++uint32_t ++cdf_tole4(uint32_t sv) ++{ ++ return CDF_TOLE4(sv); ++} ++ ++uint64_t ++cdf_tole8(uint64_t sv) ++{ ++ return CDF_TOLE8(sv); ++} ++ + void + cdf_swap_header(cdf_header_t *h) + { +@@ -145,15 +179,15 @@ cdf_swap_header(cdf_header_t *h) + h->h_min_size_standard_stream = + CDF_TOLE4(h->h_min_size_standard_stream); + h->h_secid_first_sector_in_short_sat = +- CDF_TOLE4(h->h_secid_first_sector_in_short_sat); ++ CDF_TOLE4((uint32_t)h->h_secid_first_sector_in_short_sat); + h->h_num_sectors_in_short_sat = + CDF_TOLE4(h->h_num_sectors_in_short_sat); + h->h_secid_first_sector_in_master_sat = +- CDF_TOLE4(h->h_secid_first_sector_in_master_sat); ++ CDF_TOLE4((uint32_t)h->h_secid_first_sector_in_master_sat); + h->h_num_sectors_in_master_sat = + CDF_TOLE4(h->h_num_sectors_in_master_sat); + for (i = 0; i < __arraycount(h->h_master_sat); i++) +- h->h_master_sat[i] = CDF_TOLE4(h->h_master_sat[i]); ++ h->h_master_sat[i] = CDF_TOLE4((uint32_t)h->h_master_sat[i]); + } + + void +@@ -186,15 +220,15 @@ void + cdf_swap_dir(cdf_directory_t *d) + { + d->d_namelen = CDF_TOLE2(d->d_namelen); +- d->d_left_child = CDF_TOLE4(d->d_left_child); +- d->d_right_child = CDF_TOLE4(d->d_right_child); +- d->d_storage = CDF_TOLE4(d->d_storage); ++ d->d_left_child = CDF_TOLE4((uint32_t)d->d_left_child); ++ d->d_right_child = CDF_TOLE4((uint32_t)d->d_right_child); ++ d->d_storage = CDF_TOLE4((uint32_t)d->d_storage); + d->d_storage_uuid[0] = CDF_TOLE8(d->d_storage_uuid[0]); + d->d_storage_uuid[1] = CDF_TOLE8(d->d_storage_uuid[1]); + d->d_flags = CDF_TOLE4(d->d_flags); +- d->d_created = CDF_TOLE8(d->d_created); +- d->d_modified = CDF_TOLE8(d->d_modified); +- d->d_stream_first_sector = CDF_TOLE4(d->d_stream_first_sector); ++ d->d_created = CDF_TOLE8((uint64_t)d->d_created); ++ d->d_modified = CDF_TOLE8((uint64_t)d->d_modified); ++ d->d_stream_first_sector = CDF_TOLE4((uint32_t)d->d_stream_first_sector); + d->d_size = CDF_TOLE4(d->d_size); + } + +@@ -228,14 +262,18 @@ cdf_unpack_dir(cdf_directory_t *d, char *buf) + } + + static int +-cdf_check_stream_offset(const cdf_stream_t *sst, const void *p, size_t tail) ++cdf_check_stream_offset(const cdf_stream_t *sst, const cdf_header_t *h, ++ const void *p, size_t tail, int line) + { + const char *b = (const char *)sst->sst_tab; + const char *e = ((const char *)p) + tail; +- if (e >= b && (size_t)(e - b) < sst->sst_dirlen * sst->sst_len) ++ (void)&line; ++ if (e >= b && (size_t)(e - b) < CDF_SEC_SIZE(h) * sst->sst_len) + return 0; +- DPRINTF((stderr, "offset begin %p end %p %zu >= %zu\n", b, e, +- (size_t)(e - b), sst->sst_dirlen * sst->sst_len)); ++ DPRINTF(("%d: offset begin %p end %p %" SIZE_T_FORMAT "u" ++ " >= %" SIZE_T_FORMAT "u [%" SIZE_T_FORMAT "u %" ++ SIZE_T_FORMAT "u]\n", line, b, e, (size_t)(e - b), ++ CDF_SEC_SIZE(h) * sst->sst_len, CDF_SEC_SIZE(h), sst->sst_len)); + errno = EFTYPE; + return -1; + } +@@ -278,7 +316,8 @@ cdf_read_header(const cdf_info_t *info, cdf_header + cdf_unpack_header(h, buf); + cdf_swap_header(h); + if (h->h_magic != CDF_MAGIC) { +- DPRINTF(("Bad magic 0x%llx != 0x%llx\n", ++ DPRINTF(("Bad magic 0x%" INT64_T_FORMAT "x != 0x%" ++ INT64_T_FORMAT "x\n", + (unsigned long long)h->h_magic, + (unsigned long long)CDF_MAGIC)); + goto out; +@@ -303,9 +342,10 @@ ssize_t + cdf_read_sector(const cdf_info_t *info, void *buf, size_t offs, size_t len, + const cdf_header_t *h, cdf_secid_t id) + { +- assert((size_t)CDF_SEC_SIZE(h) == len); +- return cdf_read(info, (off_t)CDF_SEC_POS(h, id), +- ((char *)buf) + offs, len); ++ size_t ss = CDF_SEC_SIZE(h); ++ size_t pos = CDF_SEC_POS(h, id); ++ assert(ss == len); ++ return cdf_read(info, (off_t)pos, ((char *)buf) + offs, len); + } + + ssize_t +@@ -312,9 +352,17 @@ ssize_t + cdf_read_short_sector(const cdf_stream_t *sst, void *buf, size_t offs, + size_t len, const cdf_header_t *h, cdf_secid_t id) + { +- assert((size_t)CDF_SHORT_SEC_SIZE(h) == len); ++ size_t ss = CDF_SHORT_SEC_SIZE(h); ++ size_t pos = CDF_SHORT_SEC_POS(h, id); ++ assert(ss == len); ++ if (pos > CDF_SEC_SIZE(h) * sst->sst_len) { ++ DPRINTF(("Out of bounds read %" SIZE_T_FORMAT "u > %" ++ SIZE_T_FORMAT "u\n", ++ pos, CDF_SEC_SIZE(h) * sst->sst_len)); ++ return -1; ++ } + (void)memcpy(((char *)buf) + offs, +- ((const char *)sst->sst_tab) + CDF_SHORT_SEC_POS(h, id), len); ++ ((const char *)sst->sst_tab) + pos, len); + return len; + } + +@@ -334,17 +382,20 @@ cdf_read_sat(const cdf_info_t *info, cdf_header_t + break; + + #define CDF_SEC_LIMIT (UINT32_MAX / (4 * ss)) +- if (h->h_num_sectors_in_master_sat > CDF_SEC_LIMIT / nsatpersec || ++ if ((nsatpersec > 0 && ++ h->h_num_sectors_in_master_sat > CDF_SEC_LIMIT / nsatpersec) || + i > CDF_SEC_LIMIT) { +- DPRINTF(("Number of sectors in master SAT too big %u %zu\n", +- h->h_num_sectors_in_master_sat, i)); ++ DPRINTF(("Number of sectors in master SAT too big %u %" ++ SIZE_T_FORMAT "u\n", h->h_num_sectors_in_master_sat, i)); + errno = EFTYPE; + return -1; + } + + sat->sat_len = h->h_num_sectors_in_master_sat * nsatpersec + i; +- DPRINTF(("sat_len = %zu ss = %zu\n", sat->sat_len, ss)); +- if ((sat->sat_tab = calloc(sat->sat_len, ss)) == NULL) ++ DPRINTF(("sat_len = %" SIZE_T_FORMAT "u ss = %" SIZE_T_FORMAT "u\n", ++ sat->sat_len, ss)); ++ if ((sat->sat_tab = CAST(cdf_secid_t *, calloc(sat->sat_len, ss))) ++ == NULL) + return -1; + + for (i = 0; i < __arraycount(h->h_master_sat); i++) { +@@ -357,7 +408,7 @@ cdf_read_sat(const cdf_info_t *info, cdf_header_t + } + } + +- if ((msa = calloc(1, ss)) == NULL) ++ if ((msa = CAST(cdf_secid_t *, calloc(1, ss))) == NULL) + goto out1; + + mid = h->h_secid_first_sector_in_master_sat; +@@ -374,12 +425,12 @@ cdf_read_sat(const cdf_info_t *info, cdf_header_t + goto out2; + } + for (k = 0; k < nsatpersec; k++, i++) { +- sec = CDF_TOLE4(msa[k]); ++ sec = CDF_TOLE4((uint32_t)msa[k]); + if (sec < 0) + goto out; + if (i >= sat->sat_len) { +- DPRINTF(("Out of bounds reading MSA %u >= %u", +- i, sat->sat_len)); ++ DPRINTF(("Out of bounds reading MSA %" SIZE_T_FORMAT ++ "u >= %" SIZE_T_FORMAT "u", i, sat->sat_len)); + errno = EFTYPE; + goto out2; + } +@@ -390,7 +441,7 @@ cdf_read_sat(const cdf_info_t *info, cdf_header_t + goto out2; + } + } +- mid = CDF_TOLE4(msa[nsatpersec]); ++ mid = CDF_TOLE4((uint32_t)msa[nsatpersec]); + } + out: + sat->sat_len = i; +@@ -422,7 +473,7 @@ cdf_count_chain(const cdf_sat_t *sat, cdf_secid_t + errno = EFTYPE; + return (size_t)-1; + } +- sid = CDF_TOLE4(sat->sat_tab[sid]); ++ sid = CDF_TOLE4((uint32_t)sat->sat_tab[sid]); + } + DPRINTF(("\n")); + return i; +@@ -452,7 +503,8 @@ cdf_read_long_sector_chain(const cdf_info_t *info, + } + if (i >= scn->sst_len) { + DPRINTF(("Out of bounds reading long sector chain " +- "%u > %u\n", i, scn->sst_len)); ++ "%" SIZE_T_FORMAT "u > %" SIZE_T_FORMAT "u\n", i, ++ scn->sst_len)); + errno = EFTYPE; + goto out; + } +@@ -465,7 +517,7 @@ cdf_read_long_sector_chain(const cdf_info_t *info, + DPRINTF(("Reading long sector chain %d", sid)); + goto out; + } +- sid = CDF_TOLE4(sat->sat_tab[sid]); ++ sid = CDF_TOLE4((uint32_t)sat->sat_tab[sid]); + } + return 0; + out: +@@ -497,7 +549,8 @@ cdf_read_short_sector_chain(const cdf_header_t *h, + } + if (i >= scn->sst_len) { + DPRINTF(("Out of bounds reading short sector chain " +- "%u > %u\n", i, scn->sst_len)); ++ "%" SIZE_T_FORMAT "u > %" SIZE_T_FORMAT "u\n", ++ i, scn->sst_len)); + errno = EFTYPE; + goto out; + } +@@ -506,7 +559,7 @@ cdf_read_short_sector_chain(const cdf_header_t *h, + DPRINTF(("Reading short sector chain %d", sid)); + goto out; + } +- sid = CDF_TOLE4(ssat->sat_tab[sid]); ++ sid = CDF_TOLE4((uint32_t)ssat->sat_tab[sid]); + } + return 0; + out: +@@ -520,7 +573,7 @@ cdf_read_sector_chain(const cdf_info_t *info, cons + cdf_secid_t sid, size_t len, cdf_stream_t *scn) + { + +- if (len < h->h_min_size_standard_stream) ++ if (len < h->h_min_size_standard_stream && sst->sst_tab != NULL) + return cdf_read_short_sector_chain(h, ssat, sst, sid, len, + scn); + else +@@ -543,11 +596,12 @@ cdf_read_dir(const cdf_info_t *info, const cdf_hea + nd = ss / CDF_DIRECTORY_SIZE; + + dir->dir_len = ns * nd; +- dir->dir_tab = calloc(dir->dir_len, sizeof(dir->dir_tab[0])); ++ dir->dir_tab = CAST(cdf_directory_t *, ++ calloc(dir->dir_len, sizeof(dir->dir_tab[0]))); + if (dir->dir_tab == NULL) + return -1; + +- if ((buf = malloc(ss)) == NULL) { ++ if ((buf = CAST(char *, malloc(ss))) == NULL) { + free(dir->dir_tab); + return -1; + } +@@ -566,7 +620,7 @@ cdf_read_dir(const cdf_info_t *info, const cdf_hea + cdf_unpack_dir(&dir->dir_tab[i * nd + j], + &buf[j * CDF_DIRECTORY_SIZE]); + } +- sid = CDF_TOLE4(sat->sat_tab[sid]); ++ sid = CDF_TOLE4((uint32_t)sat->sat_tab[sid]); + } + if (NEED_SWAP) + for (i = 0; i < dir->dir_len; i++) +@@ -592,7 +646,7 @@ cdf_read_ssat(const cdf_info_t *info, const cdf_he + if (ssat->sat_len == (size_t)-1) + return -1; + +- ssat->sat_tab = calloc(ssat->sat_len, ss); ++ ssat->sat_tab = CAST(cdf_secid_t *, calloc(ssat->sat_len, ss)); + if (ssat->sat_tab == NULL) + return -1; + +@@ -604,7 +658,8 @@ cdf_read_ssat(const cdf_info_t *info, const cdf_he + } + if (i >= ssat->sat_len) { + DPRINTF(("Out of bounds reading short sector chain " +- "%u > %u\n", i, ssat->sat_len)); ++ "%" SIZE_T_FORMAT "u > %" SIZE_T_FORMAT "u\n", i, ++ ssat->sat_len)); + errno = EFTYPE; + goto out; + } +@@ -613,7 +668,7 @@ cdf_read_ssat(const cdf_info_t *info, const cdf_he + DPRINTF(("Reading short sat sector %d", sid)); + goto out; + } +- sid = CDF_TOLE4(sat->sat_tab[sid]); ++ sid = CDF_TOLE4((uint32_t)sat->sat_tab[sid]); + } + return 0; + out: +@@ -641,7 +696,7 @@ cdf_read_short_stream(const cdf_info_t *info, cons + if (d->d_stream_first_sector < 0) + goto out; + +- return cdf_read_long_sector_chain(info, h, sat, ++ return cdf_read_long_sector_chain(info, h, sat, + d->d_stream_first_sector, d->d_size, scn); + out: + scn->sst_tab = NULL; +@@ -668,29 +723,29 @@ cdf_read_summary_info(const cdf_info_t *info, cons + const cdf_directory_t *d; + static const char name[] = "\05SummaryInformation"; + +- for (i = 0; i < dir->dir_len; i++) +- if (dir->dir_tab[i].d_type == CDF_DIR_TYPE_USER_STREAM && +- cdf_namecmp(name, dir->dir_tab[i].d_name, sizeof(name)) ++ for (i = dir->dir_len; i > 0; i--) ++ if (dir->dir_tab[i - 1].d_type == CDF_DIR_TYPE_USER_STREAM && ++ cdf_namecmp(name, dir->dir_tab[i - 1].d_name, sizeof(name)) + == 0) + break; + +- if (i == dir->dir_len) { ++ if (i == 0) { + DPRINTF(("Cannot find summary information section\n")); +- errno = EFTYPE; ++ errno = ESRCH; + return -1; + } +- d = &dir->dir_tab[i]; ++ d = &dir->dir_tab[i - 1]; + return cdf_read_sector_chain(info, h, sat, ssat, sst, + d->d_stream_first_sector, d->d_size, scn); + } + + int +-cdf_read_property_info(const cdf_stream_t *sst, uint32_t offs, +- cdf_property_info_t **info, size_t *count, size_t *maxcount) ++cdf_read_property_info(const cdf_stream_t *sst, const cdf_header_t *h, ++ uint32_t offs, cdf_property_info_t **info, size_t *count, size_t *maxcount) + { + const cdf_section_header_t *shp; + cdf_section_header_t sh; +- const uint32_t *p, *q, *e; ++ const uint8_t *p, *q, *e; + int16_t s16; + int32_t s32; + uint32_t u32; +@@ -697,7 +752,7 @@ int + int64_t s64; + uint64_t u64; + cdf_timestamp_t tp; +- size_t i, o, nelements, j; ++ size_t i, o, o4, nelements, j; + cdf_property_info_t *inp; + + if (offs > UINT32_MAX / 4) { +@@ -704,8 +759,9 @@ int + errno = EFTYPE; + goto out; + } +- shp = (const void *)((const char *)sst->sst_tab + offs); +- if (cdf_check_stream_offset(sst, shp, sizeof(*shp)) == -1) ++ shp = CAST(const cdf_section_header_t *, (const void *) ++ ((const char *)sst->sst_tab + offs)); ++ if (cdf_check_stream_offset(sst, h, shp, sizeof(*shp), __LINE__) == -1) + goto out; + sh.sh_len = CDF_TOLE4(shp->sh_len); + #define CDF_SHLEN_LIMIT (UINT32_MAX / 8) +@@ -723,10 +779,12 @@ int + if (*maxcount > CDF_PROP_LIMIT) + goto out; + *maxcount += sh.sh_properties; +- inp = realloc(*info, *maxcount * sizeof(*inp)); ++ inp = CAST(cdf_property_info_t *, ++ realloc(*info, *maxcount * sizeof(*inp))); + } else { + *maxcount = sh.sh_properties; +- inp = malloc(*maxcount * sizeof(*inp)); ++ inp = CAST(cdf_property_info_t *, ++ malloc(*maxcount * sizeof(*inp))); + } + if (inp == NULL) + goto out; +@@ -733,65 +791,87 @@ int + *info = inp; + inp += *count; + *count += sh.sh_properties; +- p = (const void *)((const char *)sst->sst_tab + offs + sizeof(sh)); +- e = (const void *)(((const char *)shp) + sh.sh_len); +- if (cdf_check_stream_offset(sst, e, 0) == -1) ++ p = CAST(const uint8_t *, (const void *) ++ ((const char *)(const void *)sst->sst_tab + ++ offs + sizeof(sh))); ++ e = CAST(const uint8_t *, (const void *) ++ (((const char *)(const void *)shp) + sh.sh_len)); ++ if (cdf_check_stream_offset(sst, h, e, 0, __LINE__) == -1) + goto out; + for (i = 0; i < sh.sh_properties; i++) { +- q = (const uint32_t *)((const char *)p + +- CDF_TOLE4(p[(i << 1) + 1])) - 2; ++ size_t ofs = CDF_GETUINT32(p, (i << 1) + 1); ++ q = (const uint8_t *)(const void *) ++ ((const char *)(const void *)p + ofs ++ - 2 * sizeof(uint32_t)); + if (q > e) { + DPRINTF(("Ran of the end %p > %p\n", q, e)); + goto out; + } +- inp[i].pi_id = CDF_TOLE4(p[i << 1]); +- inp[i].pi_type = CDF_TOLE4(q[0]); +- DPRINTF(("%d) id=%x type=%x offs=%x\n", i, inp[i].pi_id, +- inp[i].pi_type, (const char *)q - (const char *)p)); ++ inp[i].pi_id = CDF_GETUINT32(p, i << 1); ++ inp[i].pi_type = CDF_GETUINT32(q, 0); ++ DPRINTF(("%" SIZE_T_FORMAT "u) id=%x type=%x offs=0x%tx,0x%x\n", ++ i, inp[i].pi_id, inp[i].pi_type, q - p, offs)); + if (inp[i].pi_type & CDF_VECTOR) { +- nelements = CDF_TOLE4(q[1]); ++ nelements = CDF_GETUINT32(q, 1); + o = 2; + } else { + nelements = 1; + o = 1; + } ++ o4 = o * sizeof(uint32_t); + if (inp[i].pi_type & (CDF_ARRAY|CDF_BYREF|CDF_RESERVED)) + goto unknown; + switch (inp[i].pi_type & CDF_TYPEMASK) { ++ case CDF_NULL: + case CDF_EMPTY: + break; + case CDF_SIGNED16: + if (inp[i].pi_type & CDF_VECTOR) + goto unknown; +- (void)memcpy(&s16, &q[o], sizeof(s16)); ++ (void)memcpy(&s16, &q[o4], sizeof(s16)); + inp[i].pi_s16 = CDF_TOLE2(s16); + break; + case CDF_SIGNED32: + if (inp[i].pi_type & CDF_VECTOR) + goto unknown; +- (void)memcpy(&s32, &q[o], sizeof(s32)); +- inp[i].pi_s32 = CDF_TOLE4(s32); ++ (void)memcpy(&s32, &q[o4], sizeof(s32)); ++ inp[i].pi_s32 = CDF_TOLE4((uint32_t)s32); + break; + case CDF_BOOL: + case CDF_UNSIGNED32: + if (inp[i].pi_type & CDF_VECTOR) + goto unknown; +- (void)memcpy(&u32, &q[o], sizeof(u32)); ++ (void)memcpy(&u32, &q[o4], sizeof(u32)); + inp[i].pi_u32 = CDF_TOLE4(u32); + break; + case CDF_SIGNED64: + if (inp[i].pi_type & CDF_VECTOR) + goto unknown; +- (void)memcpy(&s64, &q[o], sizeof(s64)); +- inp[i].pi_s64 = CDF_TOLE4(s64); ++ (void)memcpy(&s64, &q[o4], sizeof(s64)); ++ inp[i].pi_s64 = CDF_TOLE8((uint64_t)s64); + break; + case CDF_UNSIGNED64: + if (inp[i].pi_type & CDF_VECTOR) + goto unknown; +- (void)memcpy(&u64, &q[o], sizeof(u64)); +- inp[i].pi_u64 = CDF_TOLE4(u64); ++ (void)memcpy(&u64, &q[o4], sizeof(u64)); ++ inp[i].pi_u64 = CDF_TOLE8((uint64_t)u64); + break; ++ case CDF_FLOAT: ++ if (inp[i].pi_type & CDF_VECTOR) ++ goto unknown; ++ (void)memcpy(&u32, &q[o4], sizeof(u32)); ++ u32 = CDF_TOLE4(u32); ++ memcpy(&inp[i].pi_f, &u32, sizeof(inp[i].pi_f)); ++ break; ++ case CDF_DOUBLE: ++ if (inp[i].pi_type & CDF_VECTOR) ++ goto unknown; ++ (void)memcpy(&u64, &q[o4], sizeof(u64)); ++ u64 = CDF_TOLE8((uint64_t)u64); ++ memcpy(&inp[i].pi_d, &u64, sizeof(inp[i].pi_d)); ++ break; + case CDF_LENGTH32_STRING: ++ case CDF_LENGTH32_WSTRING: + if (nelements > 1) { + size_t nelem = inp - *info; + if (*maxcount > CDF_PROP_LIMIT +@@ -798,22 +878,30 @@ int + || nelements > CDF_PROP_LIMIT) + goto out; + *maxcount += nelements; +- inp = realloc(*info, *maxcount * sizeof(*inp)); ++ inp = CAST(cdf_property_info_t *, ++ realloc(*info, *maxcount * sizeof(*inp))); + if (inp == NULL) + goto out; + *info = inp; + inp = *info + nelem; + } +- DPRINTF(("nelements = %d\n", nelements)); ++ DPRINTF(("nelements = %" SIZE_T_FORMAT "u\n", ++ nelements)); + for (j = 0; j < nelements; j++, i++) { +- uint32_t l = CDF_TOLE4(q[o]); ++ uint32_t l = CDF_GETUINT32(q, o); + inp[i].pi_str.s_len = l; +- inp[i].pi_str.s_buf = (const char *)(&q[o+1]); +- DPRINTF(("l = %d, r = %d, s = %s\n", l, ++ inp[i].pi_str.s_buf = (const char *) ++ (const void *)(&q[o4 + sizeof(l)]); ++ DPRINTF(("l = %d, r = %" SIZE_T_FORMAT ++ "u, s = %s\n", l, + CDF_ROUND(l, sizeof(l)), + inp[i].pi_str.s_buf)); +- l = 4 + CDF_ROUND(l, sizeof(l)); +- o += l >> 2; ++ if (l & 1) ++ l++; ++ o += l >> 1; ++ if (q + o >= e) ++ goto out; ++ o4 = o * sizeof(uint32_t); + } + i--; + break; +@@ -820,8 +908,8 @@ int + case CDF_FILETIME: + if (inp[i].pi_type & CDF_VECTOR) + goto unknown; +- (void)memcpy(&tp, &q[o], sizeof(tp)); +- inp[i].pi_tp = CDF_TOLE8(tp); ++ (void)memcpy(&tp, &q[o4], sizeof(tp)); ++ inp[i].pi_tp = CDF_TOLE8((uint64_t)tp); + break; + case CDF_CLIPBOARD: + if (inp[i].pi_type & CDF_VECTOR) +@@ -831,7 +919,7 @@ int + unknown: + DPRINTF(("Don't know how to deal with %x\n", + inp[i].pi_type)); +- goto out; ++ break; + } + } + return 0; +@@ -841,16 +929,18 @@ out: + } + + int +-cdf_unpack_summary_info(const cdf_stream_t *sst, cdf_summary_info_header_t *ssi, +- cdf_property_info_t **info, size_t *count) ++cdf_unpack_summary_info(const cdf_stream_t *sst, const cdf_header_t *h, ++ cdf_summary_info_header_t *ssi, cdf_property_info_t **info, size_t *count) + { + size_t i, maxcount; +- const cdf_summary_info_header_t *si = sst->sst_tab; +- const cdf_section_declaration_t *sd = (const void *) +- ((const char *)sst->sst_tab + CDF_SECTION_DECLARATION_OFFSET); ++ const cdf_summary_info_header_t *si = ++ CAST(const cdf_summary_info_header_t *, sst->sst_tab); ++ const cdf_section_declaration_t *sd = ++ CAST(const cdf_section_declaration_t *, (const void *) ++ ((const char *)sst->sst_tab + CDF_SECTION_DECLARATION_OFFSET)); + +- if (cdf_check_stream_offset(sst, si, sizeof(*si)) == -1 || +- cdf_check_stream_offset(sst, sd, sizeof(*sd)) == -1) ++ if (cdf_check_stream_offset(sst, h, si, sizeof(*si), __LINE__) == -1 || ++ cdf_check_stream_offset(sst, h, sd, sizeof(*sd), __LINE__) == -1) + return -1; + ssi->si_byte_order = CDF_TOLE2(si->si_byte_order); + ssi->si_os_version = CDF_TOLE2(si->si_os_version); +@@ -867,9 +957,10 @@ int + errno = EFTYPE; + return -1; + } +- if (cdf_read_property_info(sst, CDF_TOLE4(sd->sd_offset), +- info, count, &maxcount) == -1) ++ if (cdf_read_property_info(sst, h, CDF_TOLE4(sd->sd_offset), ++ info, count, &maxcount) == -1) { + return -1; ++ } + } + return 0; + } +@@ -926,32 +1017,32 @@ cdf_print_property_name(char *buf, size_t bufsiz, + int + cdf_print_elapsed_time(char *buf, size_t bufsiz, cdf_timestamp_t ts) + { +- size_t len = 0; ++ int len = 0; + int days, hours, mins, secs; + + ts /= CDF_TIME_PREC; +- secs = ts % 60; ++ secs = (int)(ts % 60); + ts /= 60; +- mins = ts % 60; ++ mins = (int)(ts % 60); + ts /= 60; +- hours = ts % 24; ++ hours = (int)(ts % 24); + ts /= 24; +- days = ts; ++ days = (int)ts; + + if (days) { + len += snprintf(buf + len, bufsiz - len, "%dd+", days); +- if (len >= bufsiz) ++ if ((size_t)len >= bufsiz) + return len; + } + + if (days || hours) { + len += snprintf(buf + len, bufsiz - len, "%.2d:", hours); +- if (len >= bufsiz) ++ if ((size_t)len >= bufsiz) + return len; + } + + len += snprintf(buf + len, bufsiz - len, "%.2d:", mins); +- if (len >= bufsiz) ++ if ((size_t)len >= bufsiz) + return len; + + len += snprintf(buf + len, bufsiz - len, "%.2d", secs); +@@ -994,13 +1085,14 @@ cdf_dump_sat(const char *prefix, const cdf_sat_t * + size_t i, j, s = size / sizeof(cdf_secid_t); + + for (i = 0; i < sat->sat_len; i++) { +- (void)fprintf(stderr, "%s[%zu]:\n%.6d: ", prefix, i, i * s); ++ (void)fprintf(stderr, "%s[%" SIZE_T_FORMAT "u]:\n%.6" ++ SIZE_T_FORMAT "u: ", prefix, i, i * s); + for (j = 0; j < s; j++) { + (void)fprintf(stderr, "%5d, ", + CDF_TOLE4(sat->sat_tab[s * i + j])); + if ((j + 1) % 10 == 0) +- (void)fprintf(stderr, "\n%.6d: ", +- i * s + j + 1); ++ (void)fprintf(stderr, "\n%.6" SIZE_T_FORMAT ++ "u: ", i * s + j + 1); + } + (void)fprintf(stderr, "\n"); + } +@@ -1019,7 +1111,8 @@ cdf_dump(void *v, size_t len) + if (j == 16) { + j = 0; + abuf[15] = '\0'; +- (void)fprintf(stderr, "%s\n%.4x: ", abuf, i + 1); ++ (void)fprintf(stderr, "%s\n%.4" SIZE_T_FORMAT "x: ", ++ abuf, i + 1); + } + } + (void)fprintf(stderr, "\n"); +@@ -1051,7 +1144,8 @@ cdf_dump_dir(const cdf_info_t *info, const cdf_hea + d = &dir->dir_tab[i]; + for (j = 0; j < sizeof(name); j++) + name[j] = (char)CDF_TOLE2(d->d_name[j]); +- (void)fprintf(stderr, "Directory %zu: %s\n", i, name); ++ (void)fprintf(stderr, "Directory %" SIZE_T_FORMAT "u: %s\n", ++ i, name); + if (d->d_type < __arraycount(types)) + (void)fprintf(stderr, "Type: %s\n", types[d->d_type]); + else +@@ -1062,9 +1156,9 @@ cdf_dump_dir(const cdf_info_t *info, const cdf_hea + (void)fprintf(stderr, "Right child: %d\n", d->d_right_child); + (void)fprintf(stderr, "Flags: 0x%x\n", d->d_flags); + cdf_timestamp_to_timespec(&ts, d->d_created); +- (void)fprintf(stderr, "Created %s", ctime(&ts.tv_sec)); ++ (void)fprintf(stderr, "Created %s", cdf_ctime(&ts.tv_sec)); + cdf_timestamp_to_timespec(&ts, d->d_modified); +- (void)fprintf(stderr, "Modified %s", ctime(&ts.tv_sec)); ++ (void)fprintf(stderr, "Modified %s", cdf_ctime(&ts.tv_sec)); + (void)fprintf(stderr, "Stream %d\n", d->d_stream_first_sector); + (void)fprintf(stderr, "Size %d\n", d->d_size); + switch (d->d_type) { +@@ -1086,7 +1180,7 @@ cdf_dump_dir(const cdf_info_t *info, const cdf_hea + default: + break; + } +- ++ + } + } + +@@ -1096,12 +1190,14 @@ cdf_dump_property_info(const cdf_property_info_t * + cdf_timestamp_t tp; + struct timespec ts; + char buf[64]; +- size_t i; ++ size_t i, j; + + for (i = 0; i < count; i++) { + cdf_print_property_name(buf, sizeof(buf), info[i].pi_id); +- (void)fprintf(stderr, "%zu) %s: ", i, buf); ++ (void)fprintf(stderr, "%" SIZE_T_FORMAT "u) %s: ", i, buf); + switch (info[i].pi_type) { ++ case CDF_NULL: ++ break; + case CDF_SIGNED16: + (void)fprintf(stderr, "signed 16 [%hd]\n", + info[i].pi_s16); +@@ -1114,11 +1210,26 @@ cdf_dump_property_info(const cdf_property_info_t * + (void)fprintf(stderr, "unsigned 32 [%u]\n", + info[i].pi_u32); + break; ++ case CDF_FLOAT: ++ (void)fprintf(stderr, "float [%g]\n", ++ info[i].pi_f); ++ break; ++ case CDF_DOUBLE: ++ (void)fprintf(stderr, "double [%g]\n", ++ info[i].pi_d); ++ break; + case CDF_LENGTH32_STRING: + (void)fprintf(stderr, "string %u [%.*s]\n", + info[i].pi_str.s_len, + info[i].pi_str.s_len, info[i].pi_str.s_buf); + break; ++ case CDF_LENGTH32_WSTRING: ++ (void)fprintf(stderr, "string %u [", ++ info[i].pi_str.s_len); ++ for (j = 0; j < info[i].pi_str.s_len - 1; j++) ++ (void)fputc(info[i].pi_str.s_buf[j << 1], stderr); ++ (void)fprintf(stderr, "]\n"); ++ break; + case CDF_FILETIME: + tp = info[i].pi_tp; + if (tp < 1000000000000000LL) { +@@ -1127,7 +1238,7 @@ cdf_dump_property_info(const cdf_property_info_t * + } else { + cdf_timestamp_to_timespec(&ts, tp); + (void)fprintf(stderr, "timestamp %s", +- ctime(&ts.tv_sec)); ++ cdf_ctime(&ts.tv_sec)); + } + break; + case CDF_CLIPBOARD: +@@ -1151,7 +1262,7 @@ cdf_dump_summary_info(const cdf_header_t *h, const + size_t count; + + (void)&h; +- if (cdf_unpack_summary_info(sst, &ssi, &info, &count) == -1) ++ if (cdf_unpack_summary_info(sst, h, &ssi, &info, &count) == -1) + return; + (void)fprintf(stderr, "Endian: %x\n", ssi.si_byte_order); + (void)fprintf(stderr, "Os Version %d.%d\n", ssi.si_os_version & 0xff, +@@ -1203,7 +1314,7 @@ main(int argc, char *argv[]) + if (cdf_read_ssat(&info, &h, &sat, &ssat) == -1) + err(1, "Cannot read ssat"); + #ifdef CDF_DEBUG +- cdf_dump_sat("SSAT", &h, &ssat, CDF_SHORT_SEC_SIZE(&h)); ++ cdf_dump_sat("SSAT", &ssat, CDF_SHORT_SEC_SIZE(&h)); + #endif + + if (cdf_read_dir(&info, &h, &sat, &dir) == -1) +Index: contrib/file/cdf.h +=================================================================== +--- contrib/file/cdf.h (revision 267806) ++++ contrib/file/cdf.h (working copy) +@@ -24,12 +24,27 @@ + * POSSIBILITY OF SUCH DAMAGE. + */ + /* +- * Info from: http://sc.openoffice.org/compdocfileformat.pdf ++ * Parse Composite Document Files, the format used in Microsoft Office ++ * document files before they switched to zipped XML. ++ * Info from: http://sc.openoffice.org/compdocfileformat.pdf ++ * ++ * N.B. This is the "Composite Document File" format, and not the ++ * "Compound Document Format", nor the "Channel Definition Format". + */ + + #ifndef _H_CDF_ + #define _H_CDF_ + ++#ifdef WIN32 ++#include ++#define timespec timeval ++#define tv_nsec tv_usec ++#endif ++#ifdef __DJGPP__ ++#define timespec timeval ++#define tv_nsec tv_usec ++#endif ++ + typedef int32_t cdf_secid_t; + + #define CDF_LOOP_LIMIT 10000 +@@ -36,8 +51,8 @@ typedef int32_t cdf_secid_t; + + #define CDF_SECID_NULL 0 + #define CDF_SECID_FREE -1 +-#define CDF_SECID_END_OF_CHAIN -2 +-#define CDF_SECID_SECTOR_ALLOCATION_TABLE -3 ++#define CDF_SECID_END_OF_CHAIN -2 ++#define CDF_SECID_SECTOR_ALLOCATION_TABLE -3 + #define CDF_SECID_MASTER_SECTOR_ALLOCATION_TABLE -4 + + typedef struct { +@@ -61,15 +76,15 @@ typedef struct { + cdf_secid_t h_master_sat[436/4]; + } cdf_header_t; + +-#define CDF_SEC_SIZE(h) (1 << (h)->h_sec_size_p2) ++#define CDF_SEC_SIZE(h) ((size_t)(1 << (h)->h_sec_size_p2)) + #define CDF_SEC_POS(h, secid) (CDF_SEC_SIZE(h) + (secid) * CDF_SEC_SIZE(h)) +-#define CDF_SHORT_SEC_SIZE(h) (1 << (h)->h_short_sec_size_p2) ++#define CDF_SHORT_SEC_SIZE(h) ((size_t)(1 << (h)->h_short_sec_size_p2)) + #define CDF_SHORT_SEC_POS(h, secid) ((secid) * CDF_SHORT_SEC_SIZE(h)) + +-typedef int32_t cdf_dirid_t; ++typedef int32_t cdf_dirid_t; + #define CDF_DIRID_NULL -1 + +-typedef int64_t cdf_timestamp_t; ++typedef int64_t cdf_timestamp_t; + #define CDF_BASE_YEAR 1601 + #define CDF_TIME_PREC 10000000 + +@@ -78,11 +93,11 @@ typedef struct { + uint16_t d_namelen; + uint8_t d_type; + #define CDF_DIR_TYPE_EMPTY 0 +-#define CDF_DIR_TYPE_USER_STORAGE 1 +-#define CDF_DIR_TYPE_USER_STREAM 2 +-#define CDF_DIR_TYPE_LOCKBYTES 3 +-#define CDF_DIR_TYPE_PROPERTY 4 +-#define CDF_DIR_TYPE_ROOT_STORAGE 5 ++#define CDF_DIR_TYPE_USER_STORAGE 1 ++#define CDF_DIR_TYPE_USER_STREAM 2 ++#define CDF_DIR_TYPE_LOCKBYTES 3 ++#define CDF_DIR_TYPE_PROPERTY 4 ++#define CDF_DIR_TYPE_ROOT_STORAGE 5 + uint8_t d_color; + #define CDF_DIR_COLOR_READ 0 *** DIFF OUTPUT TRUNCATED AT 1000 LINES *** From owner-svn-src-user@FreeBSD.ORG Wed Sep 3 08:45:59 2014 Return-Path: Delivered-To: svn-src-user@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 7E24B5FE; Wed, 3 Sep 2014 08:45:59 +0000 (UTC) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:1900:2254:2068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 5D85113C5; Wed, 3 Sep 2014 08:45:59 +0000 (UTC) Received: from svn.freebsd.org ([127.0.1.70]) by svn.freebsd.org (8.14.9/8.14.9) with ESMTP id s838jxJc099412; Wed, 3 Sep 2014 08:45:59 GMT (envelope-from pho@FreeBSD.org) Received: (from pho@localhost) by svn.freebsd.org (8.14.9/8.14.9/Submit) id s838jxk6099411; Wed, 3 Sep 2014 08:45:59 GMT (envelope-from pho@FreeBSD.org) Message-Id: <201409030845.s838jxk6099411@svn.freebsd.org> X-Authentication-Warning: svn.freebsd.org: pho set sender to pho@FreeBSD.org using -f From: Peter Holm Date: Wed, 3 Sep 2014 08:45:59 +0000 (UTC) To: src-committers@freebsd.org, svn-src-user@freebsd.org Subject: svn commit: r271009 - user/pho/stress2/misc X-SVN-Group: user MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-user@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "SVN commit messages for the experimental " user" src tree" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 03 Sep 2014 08:45:59 -0000 Author: pho Date: Wed Sep 3 08:45:58 2014 New Revision: 271009 URL: http://svnweb.freebsd.org/changeset/base/271009 Log: Added a regression test. Sponsored by: EMC / Isilon storage division Added: user/pho/stress2/misc/mmap19.sh (contents, props changed) Added: user/pho/stress2/misc/mmap19.sh ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ user/pho/stress2/misc/mmap19.sh Wed Sep 3 08:45:58 2014 (r271009) @@ -0,0 +1,223 @@ +#!/bin/sh + +# +# Copyright (c) 2014 EMC Corp. +# All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions +# are met: +# 1. Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# 2. Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in the +# documentation and/or other materials provided with the distribution. +# +# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND +# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE +# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +# SUCH DAMAGE. +# +# $FreeBSD$ +# + +# panic: pmap active 0xfffff801d22cdae8" seen. +# Variation of mmap18.sh. +# http://people.freebsd.org/~pho/stress/log/kostik712.txt +# Fixed by r271000. + +[ `id -u ` -ne 0 ] && echo "Must be root!" && exit 1 + +here=`pwd` +cd /tmp +sed '1,/^EOF/d' < $here/$0 > mmap19.c +cc -o mmap19 -Wall -Wextra -O2 mmap19.c -lpthread || exit 1 +rm -f mmap19.c /tmp/mmap19.core +rm -f /tmp/mmap19.core + +daemon sh -c "(cd $here/../testcases/swap; ./swap -t 2m -i 20 -k)" +rnd=`od -An -N1 -t u1 /dev/random | sed 's/ //g'` +sleep $((rnd % 10)) +for i in `jot 2`; do + /tmp/mmap19 +done +killall -q swap + +rm -f /tmp/mmap19 /tmp/mmap19.core +exit 0 +EOF +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +#define PARALLEL 50 +#define LOOPS 50 + +void *p; + +#define N (128 * 1024 / (int)sizeof(u_int32_t)) +u_int32_t r[N]; + +unsigned long +makearg(void) +{ + unsigned int i; + unsigned long val; + + val = arc4random(); + i = arc4random() % 100; + if (i < 20) + val = val & 0xff; + if (i >= 20 && i < 40) + val = val & 0xffff; + if (i >= 40 && i < 60) + val = (unsigned long)(r) | (val & 0xffff); +#if defined(__LP64__) + if (i >= 60) { + val = (val << 32) | arc4random(); + if (i > 80) + val = val & 0x00007fffffffffffUL; + } +#endif + + return(val); +} + +void * +makeptr(void) +{ + unsigned long val; + + if (p != MAP_FAILED && p != NULL) + val = (unsigned long)p + arc4random(); + else + val = makearg(); + val = trunc_page(val); + return ((void *)val); +} + +void * +tmmap(void *arg __unused) +{ + int i, fd; + size_t len; + + pthread_set_name_np(pthread_self(), __func__); + len = 1LL * 1024 * 1024 * 1024; + + for (i = 0; i < 100; i++) { + if ((fd = open("/dev/zero", O_CREAT | O_TRUNC | O_RDWR, 0622)) == -1) + err(1,"open()"); + + if ((p = mmap(NULL, len, PROT_READ | PROT_WRITE, MAP_PRIVATE, fd, 0)) != + MAP_FAILED) { + usleep(100); + munmap(p, len); + } + + if ((p = mmap(NULL, len, PROT_READ | PROT_WRITE, MAP_ANON, -1, 0)) != + MAP_FAILED) { + usleep(100); + munmap(p, len); + } + close(fd); + } + + return (NULL); +} + +void * +tmprotect(void *arg __unused) +{ + int i, n, prot; + const void *addr; + size_t len; + + pthread_set_name_np(pthread_self(), __func__); + n = 0; + for (i = 0; i < 200; i++) { + addr = makeptr(); + len = trunc_page(makearg()); + prot = makearg(); + if (mprotect(addr, len, prot) == 0) + n++; + usleep(1000); + } + if (n < 10) + fprintf(stderr, "tmprotect() only succeeded %d times.\n", n); + return (NULL); +} + +void +test(void) +{ + int i; + int rc; + pthread_t tid[2]; + + if ((rc = pthread_create(&tid[0], NULL, tmmap, NULL)) != 0) + errc(1, rc, "tmmap()"); + if ((rc = pthread_create(&tid[1], NULL, tmprotect, NULL)) != 0) + errc(1, rc, "tmprotect()"); + + for (i = 0; i < 100; i++) { + if (fork() == 0) { + usleep(10000); + _exit(0); + } + wait(NULL); + } + + for (i = 0; i < 2; i++) + if ((rc = pthread_join(tid[i], NULL)) != 0) + errc(1, rc, "pthread_join(%d)", i); + _exit(0); +} + +int +main(void) +{ + int i, j; + struct rlimit rl; + + rl.rlim_max = rl.rlim_cur = 0; + if (setrlimit(RLIMIT_CORE, &rl) == -1) + warn("setrlimit"); + + for (i = 0; i < N; i++) + r[i] = arc4random(); + + for (i = 0; i < LOOPS; i++) { + for (j = 0; j < PARALLEL; j++) { + if (fork() == 0) + test(); + } + + for (j = 0; j < PARALLEL; j++) + wait(NULL); + } + + return (0); +} From owner-svn-src-user@FreeBSD.ORG Fri Sep 5 09:54:38 2014 Return-Path: Delivered-To: svn-src-user@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 8680E33E; Fri, 5 Sep 2014 09:54:38 +0000 (UTC) Received: from mail.turbocat.net (mail.turbocat.net [IPv6:2a01:4f8:d16:4514::2]) (using TLSv1.1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4A4E11C83; Fri, 5 Sep 2014 09:54:38 +0000 (UTC) Received: from laptop015.home.selasky.org (cm-176.74.213.204.customer.telag.net [176.74.213.204]) (using TLSv1 with cipher ECDHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by mail.turbocat.net (Postfix) with ESMTPSA id 70F1E1FE027; Fri, 5 Sep 2014 11:54:36 +0200 (CEST) Message-ID: <5409885B.8020206@selasky.org> Date: Fri, 05 Sep 2014 11:54:35 +0200 From: Hans Petter Selasky User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:24.0) Gecko/20100101 Thunderbird/24.1.0 MIME-Version: 1.0 To: Jakub Wojciech Klama , src-committers@freebsd.org, svn-src-user@freebsd.org Subject: Re: svn commit: r270139 - in user/jceel/soc2014_evdev/head/sys: amd64/conf dev/evdev References: <201408181655.s7IGtIcc077238@svn.freebsd.org> In-Reply-To: <201408181655.s7IGtIcc077238@svn.freebsd.org> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: svn-src-user@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "SVN commit messages for the experimental " user" src tree" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 05 Sep 2014 09:54:38 -0000 On 08/18/14 18:55, Jakub Wojciech Klama wrote: > Author: jceel > Date: Mon Aug 18 16:55:18 2014 > New Revision: 270139 > URL: http://svnweb.freebsd.org/changeset/base/270139 > > Log: > Bulk update of evdev code: > * Implemented async and non-blocking I/O mode in evdev characted > device driver > * Fixed crash when closing not-yet-registered uinput device > * Added UI_DEV_GETPATH ioctl to uinput which provides newly created > evdev node path > * Implemented UI_SET_PHYS ioctl in uinput > * Implemented EVIOCREVOKE ioctl > * Added uep(4) to EVDEV kernel config > Hi, Have you verified any character device name conflicts with webcamd in ports/multimedia/webcamd ? --HPS