Date: Thu, 3 Oct 2019 13:03:49 +0000 (UTC) From: Ed Maste <emaste@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-11@freebsd.org Subject: svn commit: r353044 - stable/11/usr.bin/bsdiff/bspatch Message-ID: <201910031303.x93D3ncI092779@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: emaste Date: Thu Oct 3 13:03:48 2019 New Revision: 353044 URL: https://svnweb.freebsd.org/changeset/base/353044 Log: MFC r352742: bspatch: add integer overflow checks Introduce a new add_off_t static function that exits with an error message if there's an overflow, otherwise returns their sum. Use this when adding values obtained from the input patch. Sponsored by: The FreeBSD Foundation Modified: stable/11/usr.bin/bsdiff/bspatch/bspatch.c Directory Properties: stable/11/ (props changed) Modified: stable/11/usr.bin/bsdiff/bspatch/bspatch.c ============================================================================== --- stable/11/usr.bin/bsdiff/bspatch/bspatch.c Thu Oct 3 13:02:04 2019 (r353043) +++ stable/11/usr.bin/bsdiff/bspatch/bspatch.c Thu Oct 3 13:03:48 2019 (r353044) @@ -62,6 +62,23 @@ exit_cleanup(void) warn("unlinkat"); } +static inline off_t +add_off_t(off_t a, off_t b) +{ + off_t result; + +#if __GNUC__ >= 5 || \ + (defined(__has_builtin) && __has_builtin(__builtin_add_overflow)) + if (__builtin_add_overflow(a, b, &result)) + errx(1, "Corrupt patch"); +#else + if ((b > 0 && a > OFF_MAX - b) || (b < 0 && a < OFF_MIN - b)) + errx(1, "Corrupt patch"); + result = a + b; +#endif + return result; +} + static off_t offtin(u_char *buf) { off_t y; @@ -204,12 +221,12 @@ int main(int argc, char *argv[]) err(1, "fseeko(%s, %jd)", argv[3], (intmax_t)offset); if ((cpfbz2 = BZ2_bzReadOpen(&cbz2err, cpf, 0, 0, NULL, 0)) == NULL) errx(1, "BZ2_bzReadOpen, bz2err = %d", cbz2err); - offset += bzctrllen; + offset = add_off_t(offset, bzctrllen); if (fseeko(dpf, offset, SEEK_SET)) err(1, "fseeko(%s, %jd)", argv[3], (intmax_t)offset); if ((dpfbz2 = BZ2_bzReadOpen(&dbz2err, dpf, 0, 0, NULL, 0)) == NULL) errx(1, "BZ2_bzReadOpen, bz2err = %d", dbz2err); - offset += bzdatalen; + offset = add_off_t(offset, bzdatalen); if (fseeko(epf, offset, SEEK_SET)) err(1, "fseeko(%s, %jd)", argv[3], (intmax_t)offset); if ((epfbz2 = BZ2_bzReadOpen(&ebz2err, epf, 0, 0, NULL, 0)) == NULL) @@ -243,7 +260,7 @@ int main(int argc, char *argv[]) errx(1, "Corrupt patch"); /* Sanity-check */ - if (newpos + ctrl[0] > newsize) + if (add_off_t(newpos, ctrl[0]) > newsize) errx(1, "Corrupt patch"); /* Read diff string */ @@ -254,15 +271,15 @@ int main(int argc, char *argv[]) /* Add old data to diff string */ for (i = 0; i < ctrl[0]; i++) - if ((oldpos + i >= 0) && (oldpos + i < oldsize)) + if (add_off_t(oldpos, i) < oldsize) new[newpos + i] += old[oldpos + i]; /* Adjust pointers */ - newpos += ctrl[0]; - oldpos += ctrl[0]; + newpos = add_off_t(newpos, ctrl[0]); + oldpos = add_off_t(oldpos, ctrl[0]); /* Sanity-check */ - if (newpos + ctrl[1] > newsize) + if (add_off_t(newpos, ctrl[1]) > newsize) errx(1, "Corrupt patch"); /* Read extra string */ @@ -272,8 +289,8 @@ int main(int argc, char *argv[]) errx(1, "Corrupt patch"); /* Adjust pointers */ - newpos+=ctrl[1]; - oldpos+=ctrl[2]; + newpos = add_off_t(newpos, ctrl[1]); + oldpos = add_off_t(oldpos, ctrl[2]); } /* Clean up the bzip2 reads */
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201910031303.x93D3ncI092779>