From owner-svn-src-all@FreeBSD.ORG  Wed Dec 16 14:34:49 2009
Return-Path: <owner-svn-src-all@FreeBSD.ORG>
Delivered-To: svn-src-all@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 3DF30106566B;
	Wed, 16 Dec 2009 14:34:49 +0000 (UTC) (envelope-from jh@FreeBSD.org)
Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:4f8:fff6::2c])
	by mx1.freebsd.org (Postfix) with ESMTP id 140F38FC29;
	Wed, 16 Dec 2009 14:34:49 +0000 (UTC)
Received: from svn.freebsd.org (localhost [127.0.0.1])
	by svn.freebsd.org (8.14.3/8.14.3) with ESMTP id nBGEYmTi001717;
	Wed, 16 Dec 2009 14:34:48 GMT (envelope-from jh@svn.freebsd.org)
Received: (from jh@localhost)
	by svn.freebsd.org (8.14.3/8.14.3/Submit) id nBGEYm6u001716;
	Wed, 16 Dec 2009 14:34:48 GMT (envelope-from jh@svn.freebsd.org)
Message-Id: <200912161434.nBGEYm6u001716@svn.freebsd.org>
From: Jaakko Heinonen <jh@FreeBSD.org>
Date: Wed, 16 Dec 2009 14:34:48 +0000 (UTC)
To: src-committers@freebsd.org, svn-src-all@freebsd.org,
	svn-src-head@freebsd.org
X-SVN-Group: head
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Cc: 
Subject: svn commit: r200604 - head/usr.bin/comm
X-BeenThere: svn-src-all@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "SVN commit messages for the entire src tree \(except for &quot;
	user&quot; and &quot; projects&quot; \)" <svn-src-all.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/svn-src-all>,
	<mailto:svn-src-all-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-all>
List-Post: <mailto:svn-src-all@freebsd.org>
List-Help: <mailto:svn-src-all-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/svn-src-all>,
	<mailto:svn-src-all-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 16 Dec 2009 14:34:49 -0000

Author: jh
Date: Wed Dec 16 14:34:48 2009
New Revision: 200604
URL: http://svn.freebsd.org/changeset/base/200604

Log:
  - Prevent overflowing of the buffer length variable in getline() by
    limiting its maximum value.
  - Exit if reallocf(3) fails in getline(). Failure was silently
    considered as end-of-file.
  
  Reviewed by:	ghelmer
  Approved by:	trasz (mentor)

Modified:
  head/usr.bin/comm/comm.c

Modified: head/usr.bin/comm/comm.c
==============================================================================
--- head/usr.bin/comm/comm.c	Wed Dec 16 13:00:37 2009	(r200603)
+++ head/usr.bin/comm/comm.c	Wed Dec 16 14:34:48 2009	(r200604)
@@ -52,6 +52,7 @@ __FBSDID("$FreeBSD$");
 #include <err.h>
 #include <limits.h>
 #include <locale.h>
+#include <stdint.h>
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
@@ -59,7 +60,8 @@ __FBSDID("$FreeBSD$");
 #include <wchar.h>
 #include <wctype.h>
 
-#define	MAXLINELEN	(LINE_MAX + 1)
+#define	INITLINELEN	(LINE_MAX + 1)
+#define	MAXLINELEN	((SIZE_MAX / sizeof(wchar_t)) / 2)
 
 const wchar_t *tabs[] = { L"", L"\t", L"\t\t" };
 
@@ -83,8 +85,8 @@ main(int argc, char *argv[])
 	flag1 = flag2 = flag3 = 1;
 	iflag = 0;
 
- 	line1len = MAXLINELEN;
- 	line2len = MAXLINELEN;
+ 	line1len = INITLINELEN;
+ 	line2len = INITLINELEN;
  	line1 = malloc(line1len * sizeof(*line1));
  	line2 = malloc(line2len * sizeof(*line2));
 	if (line1 == NULL || line2 == NULL)
@@ -193,9 +195,13 @@ getline(wchar_t *buf, size_t *buflen, FI
 	while ((ch = getwc(fp)) != WEOF && ch != '\n') {
 		if (bufpos + 1 >= *buflen) {
 			*buflen = *buflen * 2;
+			if (*buflen > MAXLINELEN)
+				errx(1,
+				    "Maximum line buffer length (%zu) exceeded",
+				    MAXLINELEN);
 			buf = reallocf(buf, *buflen * sizeof(*buf));
 			if (buf == NULL)
-				return (NULL);
+				err(1, "reallocf");
 		}
 		buf[bufpos++] = ch;
 	}
@@ -251,13 +257,13 @@ wcsicoll(const wchar_t *s1, const wchar_
 	new_l2_buflen = wcsicoll_l2_buflen;
 	while (new_l1_buflen < l1) {
 		if (new_l1_buflen == 0)
-			new_l1_buflen = MAXLINELEN;
+			new_l1_buflen = INITLINELEN;
 		else
 			new_l1_buflen *= 2;
 	}
 	while (new_l2_buflen < l2) {
 		if (new_l2_buflen == 0)
-			new_l2_buflen = MAXLINELEN;
+			new_l2_buflen = INITLINELEN;
 		else
 			new_l2_buflen *= 2;
 	}