From nobody Sun Jun 7 21:00:55 2026 X-Original-To: dev-commits-src-main@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4gYSJD6V0Gz6g5Ks for ; Sun, 07 Jun 2026 21:01:00 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R13" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4gYSJD2xjHz3SjT for ; Sun, 07 Jun 2026 21:01:00 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1780866060; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=9sorCk1GowW7F90jTrm/878klZoUfNBnlwZrF3WWQi4=; b=MkrfkTVvfPO5TGlL41a8Hr7KYveYviIw9y9k9HOaBJJqy+LoGU9+93Hbi7MutigXkMj1/5 IAOoxFrMmkv/1FTtIbvAjqGMv+DA4mi0McWowqpSMPOEbqo6uJas76x/zQXhKsRuYTNhtw T6leg4kFbZgAJaUYshTdw4kj/ikXmb02dmSqGBEzZD9LvCyxDaCR8Yj4QtihL7VUxZKzTD /Ip5I6SiVjUKs1v13ydtGXBSe8Xp7RfWtOKvV2G9+SlzMRszvjV/WZqTkFWPb7wc1MlcNq MM6eO57bYchEyAXSVqxTXxBAM1bxVAGQqPNyVVSMA4yjTTXJf10LI1D6qd/7jw== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1780866060; a=rsa-sha256; cv=none; b=xHp9e8WTPaWQY8xkpe2BvmyCeNXGBJJ8b3127a/sRUXZLC8ntSeG35IVdk5nJZR88ynHWy EsuscAFsE8/oVl20OBtvWjti6HzFuAb7o+YiCPY0DscixT7WvslJlkK6is4q/nqcbucT76 BHBvZAKH3tj/MUbPkGn7EmFobjMITQO8fl5XeFP9SiC/2y5qMw166EUAfSEJWzm2N9q1/A GCiuCvPdEmZWL1+JDtyD4Hfr3/x7pHUNfDI6o2TMd2VxcR0nkLiiDSjgduG+4zoh2FeF2k UhfeGFD6U7LRfPpeo1UGZw/ZWosYQ8kd0aER5LUMOQ1HMzQyMnwXp34QYcEg0g== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1780866060; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=9sorCk1GowW7F90jTrm/878klZoUfNBnlwZrF3WWQi4=; b=RfOHUiUKSKy8roNWEuy8kRMLWvbyoV5Ti5fYZtNKBZq32L9iR0I2ih2Ie+RTGxiKv5c00Y ai/Aqc5dJJd3NiHj3cXGVED53lLIpDLdBvxO5Ys2f5H7OnyNT819YT+HKIWUhz1dBBbM3S YOJb+Cxhrz0XtuFz5V2oLXG63kUIhcFjSbvIlWWzL9m+1XYyroWuI8FZKoxRhKBUoJrkS+ w1eRtvhb4c81fjAkS1/mYs1VHgprzy9MmtqRGbiWV4tgWYb8NUZoE/QCEnpZuoX89ReE15 1m/a6edF+KCrbPQtrDyGDHOsJpg6Gy1tCSwvJmqIww1kvIt25+6IBYMUfwr5DA== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4gYSJD2GwVz2ys for ; Sun, 07 Jun 2026 21:01:00 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from git (uid 1279) (envelope-from git@FreeBSD.org) id 462cd by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org); Sun, 07 Jun 2026 21:00:55 +0000 To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org Cc: Faraz Vahedi From: Robert Clausecker Subject: git: 3501eec9dd39 - main - libc: Guard mergesort() allocation size arithmetic List-Id: Commit messages for the main branch of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-main List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-main@freebsd.org Sender: owner-dev-commits-src-main@FreeBSD.org List-Id: List-Post: List-Help: List-Subscribe: List-Unsubscribe: List-Owner: Precedence: list MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: fuz X-Git-Repository: src X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: 3501eec9dd39b527a46e82de53480968d283b90e Auto-Submitted: auto-generated Date: Sun, 07 Jun 2026 21:00:55 +0000 Message-Id: <6a25dc07.462cd.5243bfb6@gitrepo.freebsd.org> The branch main has been updated by fuz: URL: https://cgit.FreeBSD.org/src/commit/?id=3501eec9dd39b527a46e82de53480968d283b90e commit 3501eec9dd39b527a46e82de53480968d283b90e Author: Faraz Vahedi AuthorDate: 2026-05-28 13:50:45 +0000 Commit: Robert Clausecker CommitDate: 2026-06-07 20:59:18 +0000 libc: Guard mergesort() allocation size arithmetic Signed-off-by: Faraz Vahedi Pull Request: https://github.com/freebsd/freebsd-src/pull/2243 Reviewed by: fuz MFC after: 1 week --- lib/libc/stdlib/merge.c | 16 +++++++++++----- 1 file changed, 11 insertions(+), 5 deletions(-) diff --git a/lib/libc/stdlib/merge.c b/lib/libc/stdlib/merge.c index e70938088589..e07a3947e741 100644 --- a/lib/libc/stdlib/merge.c +++ b/lib/libc/stdlib/merge.c @@ -49,6 +49,7 @@ #include #include +#include #include #include @@ -109,7 +110,7 @@ mergesort_b(void *base, size_t nmemb, size_t size, cmp_t cmp) mergesort(void *base, size_t nmemb, size_t size, cmp_t cmp) #endif { - size_t i; + size_t i, nbytes, asize; int sense; int big, iflag; u_char *f1, *f2, *t, *b, *tp2, *q, *l1, *l2; @@ -123,16 +124,21 @@ mergesort(void *base, size_t nmemb, size_t size, cmp_t cmp) if (nmemb == 0) return (0); + if (ckd_mul(&nbytes, nmemb, size) || ckd_add(&asize, nbytes, PSIZE)) { + errno = EINVAL; + return (-1); + } + iflag = 0; if (__is_aligned(size, ISIZE) && __is_aligned(base, ISIZE)) iflag = 1; - if ((list2 = malloc(nmemb * size + PSIZE)) == NULL) + if ((list2 = malloc(asize)) == NULL) return (-1); list1 = base; setup(list1, list2, nmemb, size, cmp); - last = list2 + nmemb * size; + last = list2 + nbytes; i = big = 0; while (*EVAL(list2) != last) { l2 = list1; @@ -227,10 +233,10 @@ COPY: b = t; tp2 = list1; /* swap list1, list2 */ list1 = list2; list2 = tp2; - last = list2 + nmemb*size; + last = list2 + nbytes; } if (base == list2) { - memmove(list2, list1, nmemb*size); + memmove(list2, list1, nbytes); list2 = list1; } free(list2);