Date: Sun, 8 Nov 2015 14:22:57 +0000 (UTC) From: "Andrey A. Chernov" <ache@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-10@freebsd.org Subject: svn commit: r290546 - stable/10/usr.bin/bsdiff/bsdiff Message-ID: <201511081422.tA8EMvpj086375@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: ache Date: Sun Nov 8 14:22:57 2015 New Revision: 290546 URL: https://svnweb.freebsd.org/changeset/base/290546 Log: MFC: r290329,r290336 PR: 204230 r290329: Use meaningful errno for ssize_t overflow in read(). Catch size_t overflow in malloc(). r290336: Check for (old|new)size + 1 overflows off_t. Modified: stable/10/usr.bin/bsdiff/bsdiff/bsdiff.c Directory Properties: stable/10/ (props changed) Modified: stable/10/usr.bin/bsdiff/bsdiff/bsdiff.c ============================================================================== --- stable/10/usr.bin/bsdiff/bsdiff/bsdiff.c Sun Nov 8 13:44:21 2015 (r290545) +++ stable/10/usr.bin/bsdiff/bsdiff/bsdiff.c Sun Nov 8 14:22:57 2015 (r290546) @@ -31,7 +31,10 @@ __FBSDID("$FreeBSD$"); #include <bzlib.h> #include <err.h> +#include <errno.h> #include <fcntl.h> +#include <limits.h> +#include <stdint.h> #include <stdio.h> #include <stdlib.h> #include <string.h> @@ -221,8 +224,17 @@ int main(int argc,char *argv[]) /* Allocate oldsize+1 bytes instead of oldsize bytes to ensure that we never try to malloc(0) and get a NULL pointer */ if(((fd=open(argv[1],O_RDONLY|O_BINARY,0))<0) || - ((oldsize=lseek(fd,0,SEEK_END))==-1) || - ((old=malloc(oldsize+1))==NULL) || + ((oldsize=lseek(fd,0,SEEK_END))==-1)) + err(1, "%s", argv[1]); + + if (oldsize > SSIZE_MAX || + (uintmax_t)oldsize >= SIZE_T_MAX / sizeof(off_t) || + oldsize == OFF_MAX) { + errno = EFBIG; + err(1, "%s", argv[1]); + } + + if (((old=malloc(oldsize+1))==NULL) || (lseek(fd,0,SEEK_SET)!=0) || (read(fd,old,oldsize)!=oldsize) || (close(fd)==-1)) err(1,"%s",argv[1]); @@ -237,8 +249,16 @@ int main(int argc,char *argv[]) /* Allocate newsize+1 bytes instead of newsize bytes to ensure that we never try to malloc(0) and get a NULL pointer */ if(((fd=open(argv[2],O_RDONLY|O_BINARY,0))<0) || - ((newsize=lseek(fd,0,SEEK_END))==-1) || - ((new=malloc(newsize+1))==NULL) || + ((newsize=lseek(fd,0,SEEK_END))==-1)) + err(1, "%s", argv[2]); + + if (newsize > SSIZE_MAX || (uintmax_t)newsize >= SIZE_T_MAX || + newsize == OFF_MAX) { + errno = EFBIG; + err(1, "%s", argv[2]); + } + + if (((new=malloc(newsize+1))==NULL) || (lseek(fd,0,SEEK_SET)!=0) || (read(fd,new,newsize)!=newsize) || (close(fd)==-1)) err(1,"%s",argv[2]);
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201511081422.tA8EMvpj086375>