From owner-svn-src-stable@freebsd.org Sun Nov 8 14:22:59 2015 Return-Path: Delivered-To: svn-src-stable@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 19A92A29286; Sun, 8 Nov 2015 14:22:59 +0000 (UTC) (envelope-from ache@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id BB7F2151A; Sun, 8 Nov 2015 14:22:58 +0000 (UTC) (envelope-from ache@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id tA8EMvdD086376; Sun, 8 Nov 2015 14:22:57 GMT (envelope-from ache@FreeBSD.org) Received: (from ache@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id tA8EMvpj086375; Sun, 8 Nov 2015 14:22:57 GMT (envelope-from ache@FreeBSD.org) Message-Id: <201511081422.tA8EMvpj086375@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: ache set sender to ache@FreeBSD.org using -f From: "Andrey A. Chernov" Date: Sun, 8 Nov 2015 14:22:57 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-10@freebsd.org Subject: svn commit: r290546 - stable/10/usr.bin/bsdiff/bsdiff X-SVN-Group: stable-10 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-stable@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: SVN commit messages for all the -stable branches of the src tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 08 Nov 2015 14:22:59 -0000 Author: ache Date: Sun Nov 8 14:22:57 2015 New Revision: 290546 URL: https://svnweb.freebsd.org/changeset/base/290546 Log: MFC: r290329,r290336 PR: 204230 r290329: Use meaningful errno for ssize_t overflow in read(). Catch size_t overflow in malloc(). r290336: Check for (old|new)size + 1 overflows off_t. Modified: stable/10/usr.bin/bsdiff/bsdiff/bsdiff.c Directory Properties: stable/10/ (props changed) Modified: stable/10/usr.bin/bsdiff/bsdiff/bsdiff.c ============================================================================== --- stable/10/usr.bin/bsdiff/bsdiff/bsdiff.c Sun Nov 8 13:44:21 2015 (r290545) +++ stable/10/usr.bin/bsdiff/bsdiff/bsdiff.c Sun Nov 8 14:22:57 2015 (r290546) @@ -31,7 +31,10 @@ __FBSDID("$FreeBSD$"); #include #include +#include #include +#include +#include #include #include #include @@ -221,8 +224,17 @@ int main(int argc,char *argv[]) /* Allocate oldsize+1 bytes instead of oldsize bytes to ensure that we never try to malloc(0) and get a NULL pointer */ if(((fd=open(argv[1],O_RDONLY|O_BINARY,0))<0) || - ((oldsize=lseek(fd,0,SEEK_END))==-1) || - ((old=malloc(oldsize+1))==NULL) || + ((oldsize=lseek(fd,0,SEEK_END))==-1)) + err(1, "%s", argv[1]); + + if (oldsize > SSIZE_MAX || + (uintmax_t)oldsize >= SIZE_T_MAX / sizeof(off_t) || + oldsize == OFF_MAX) { + errno = EFBIG; + err(1, "%s", argv[1]); + } + + if (((old=malloc(oldsize+1))==NULL) || (lseek(fd,0,SEEK_SET)!=0) || (read(fd,old,oldsize)!=oldsize) || (close(fd)==-1)) err(1,"%s",argv[1]); @@ -237,8 +249,16 @@ int main(int argc,char *argv[]) /* Allocate newsize+1 bytes instead of newsize bytes to ensure that we never try to malloc(0) and get a NULL pointer */ if(((fd=open(argv[2],O_RDONLY|O_BINARY,0))<0) || - ((newsize=lseek(fd,0,SEEK_END))==-1) || - ((new=malloc(newsize+1))==NULL) || + ((newsize=lseek(fd,0,SEEK_END))==-1)) + err(1, "%s", argv[2]); + + if (newsize > SSIZE_MAX || (uintmax_t)newsize >= SIZE_T_MAX || + newsize == OFF_MAX) { + errno = EFBIG; + err(1, "%s", argv[2]); + } + + if (((new=malloc(newsize+1))==NULL) || (lseek(fd,0,SEEK_SET)!=0) || (read(fd,new,newsize)!=newsize) || (close(fd)==-1)) err(1,"%s",argv[2]);