Skip site navigation (1)Skip section navigation (2)
Date:      Sun, 8 Nov 2015 14:22:57 +0000 (UTC)
From:      "Andrey A. Chernov" <ache@FreeBSD.org>
To:        src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-10@freebsd.org
Subject:   svn commit: r290546 - stable/10/usr.bin/bsdiff/bsdiff
Message-ID:  <201511081422.tA8EMvpj086375@repo.freebsd.org>

next in thread | raw e-mail | index | archive | help
Author: ache
Date: Sun Nov  8 14:22:57 2015
New Revision: 290546
URL: https://svnweb.freebsd.org/changeset/base/290546

Log:
  MFC: r290329,r290336
  PR: 204230
  
  r290329:
  
  Use meaningful errno for ssize_t overflow in read().
  Catch size_t overflow in malloc().
  
  r290336:
  
  Check for (old|new)size + 1 overflows off_t.

Modified:
  stable/10/usr.bin/bsdiff/bsdiff/bsdiff.c
Directory Properties:
  stable/10/   (props changed)

Modified: stable/10/usr.bin/bsdiff/bsdiff/bsdiff.c
==============================================================================
--- stable/10/usr.bin/bsdiff/bsdiff/bsdiff.c	Sun Nov  8 13:44:21 2015	(r290545)
+++ stable/10/usr.bin/bsdiff/bsdiff/bsdiff.c	Sun Nov  8 14:22:57 2015	(r290546)
@@ -31,7 +31,10 @@ __FBSDID("$FreeBSD$");
 
 #include <bzlib.h>
 #include <err.h>
+#include <errno.h>
 #include <fcntl.h>
+#include <limits.h>
+#include <stdint.h>
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
@@ -221,8 +224,17 @@ int main(int argc,char *argv[])
 	/* Allocate oldsize+1 bytes instead of oldsize bytes to ensure
 		that we never try to malloc(0) and get a NULL pointer */
 	if(((fd=open(argv[1],O_RDONLY|O_BINARY,0))<0) ||
-		((oldsize=lseek(fd,0,SEEK_END))==-1) ||
-		((old=malloc(oldsize+1))==NULL) ||
+	    ((oldsize=lseek(fd,0,SEEK_END))==-1))
+		err(1, "%s", argv[1]);
+
+	if (oldsize > SSIZE_MAX ||
+	    (uintmax_t)oldsize >= SIZE_T_MAX / sizeof(off_t) ||
+	    oldsize == OFF_MAX) {
+		errno = EFBIG;
+		err(1, "%s", argv[1]);
+	}
+
+	if (((old=malloc(oldsize+1))==NULL) ||
 		(lseek(fd,0,SEEK_SET)!=0) ||
 		(read(fd,old,oldsize)!=oldsize) ||
 		(close(fd)==-1)) err(1,"%s",argv[1]);
@@ -237,8 +249,16 @@ int main(int argc,char *argv[])
 	/* Allocate newsize+1 bytes instead of newsize bytes to ensure
 		that we never try to malloc(0) and get a NULL pointer */
 	if(((fd=open(argv[2],O_RDONLY|O_BINARY,0))<0) ||
-		((newsize=lseek(fd,0,SEEK_END))==-1) ||
-		((new=malloc(newsize+1))==NULL) ||
+	    ((newsize=lseek(fd,0,SEEK_END))==-1))
+		err(1, "%s", argv[2]);
+
+	if (newsize > SSIZE_MAX || (uintmax_t)newsize >= SIZE_T_MAX ||
+	    newsize == OFF_MAX) {
+		errno = EFBIG;
+		err(1, "%s", argv[2]);
+	}
+
+	if (((new=malloc(newsize+1))==NULL) ||
 		(lseek(fd,0,SEEK_SET)!=0) ||
 		(read(fd,new,newsize)!=newsize) ||
 		(close(fd)==-1)) err(1,"%s",argv[2]);



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201511081422.tA8EMvpj086375>