From nobody Sun Jun 14 12:37:12 2026 X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4gdXnj1kS5z6j5BN for ; Sun, 14 Jun 2026 12:37:13 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R13" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4gdXnh4wLDz3RVY for ; Sun, 14 Jun 2026 12:37:12 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781440632; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=2Zpi5zBZk9PAvhHjcduQ0ARjnqo5/ZmHlNRuEfKmFeA=; b=Evyxi2474qautthQZRxIH+FXOmkNU7vdjWzVpKZepEX544ugJVC50vSZoe2W/FxqMA8CCJ SUnaUL+ZyaXUts8VB8CWMLOuCz19EQVBrgVUL3+d9iX25poMvLWKotsuKQZyYSRRlJMyWf BG75zl6nSUYMANM/OizcoYOG4qoyuB5AoMSc9t/hL/tvNNGWSS78OC+AEBXs9VAye7Sycu gT1jaMwjW6Ys0Iw1dW9T/Jr09y5vdXG6y5r+ryCbzAX5QhM+1hYkGGVJSO5wiOAakq0TGj ZwrjB1wuQveX1Ml9SxGUQIq9wY/xx9E49O2ykHf8CBYu7Q0FME6zlQfR9L1cug== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1781440632; a=rsa-sha256; cv=none; b=KButFxx1JzA0uB8dgtolSGTc9hIwTiHnhNuKrLthtVOID3W8stOQRaG6mVvANT/xyoKVDq 1m/ayw9UMsJc8LDWpJMoI8FVUhDYTk509a6cLpavFV6uelLxjLO70r5GOPQA8+NOHQuMuz OK+iszCbgi5tCVc+tl00+VWMdA85yZBEFV6Rz/zFOglU2mliJtzbSVCUSepNnAZRYmgex+ qYDooxeR/bTKKeLFESqvM/7XFvQjh0WxHOidwrCSFrRuIQtCuVCO+tG848W+Bi/Z0HIrb3 oc+id0fqGixjU+uHKRF43bb1zX2J8MyAaQJ9PFmqPsGY6QTJJoDVgJsTmDFBBw== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781440632; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=2Zpi5zBZk9PAvhHjcduQ0ARjnqo5/ZmHlNRuEfKmFeA=; b=d6k1MfFHZOIT+1+tchQ3+vH+/H/rvYE6+V0hU82cKNE9HyVCpQHeJI9SayeJtCCnFaiTYn vqjhJYKRiWelS92gJwLh2t78iBK2Yn0uYJQEnTVPGO5cQ6PirGqHzLFipJw08jAOiG1RWV RyNuPEBCjAQ+I7h9ACWuTmvNmZFzLDkEEEZGAUIvdFxa1ks4DCPpfgGSnwzLSZOlc+0r+6 OfeDfNksa6jQj8c/w1ROpttme6W0pxdeF8kW86NWJtFXzbEFmFG2G6Tj6pOzUm+RNxhBiC uHOAK816Oj+1xGGjK83t9BAj65rAT2nytzfYIHdPPvOWMZoeXPYu9QOQf/QsMw== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4gdXnh4035z17p7 for ; Sun, 14 Jun 2026 12:37:12 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from git (uid 1279) (envelope-from git@FreeBSD.org) id 23d45 by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org); Sun, 14 Jun 2026 12:37:12 +0000 To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org Cc: Faraz Vahedi From: Robert Clausecker Subject: git: 9e9303a8aa1b - stable/15 - libc: Guard mergesort() allocation size arithmetic List-Id: Commit messages for all branches of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-all@freebsd.org Sender: owner-dev-commits-src-all@FreeBSD.org List-Id: List-Post: List-Help: List-Subscribe: List-Unsubscribe: List-Owner: Precedence: list MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: fuz X-Git-Repository: src X-Git-Refname: refs/heads/stable/15 X-Git-Reftype: branch X-Git-Commit: 9e9303a8aa1b340b6bd93faec427260062be16bd Auto-Submitted: auto-generated Date: Sun, 14 Jun 2026 12:37:12 +0000 Message-Id: <6a2ea078.23d45.ce87e3a@gitrepo.freebsd.org> The branch stable/15 has been updated by fuz: URL: https://cgit.FreeBSD.org/src/commit/?id=9e9303a8aa1b340b6bd93faec427260062be16bd commit 9e9303a8aa1b340b6bd93faec427260062be16bd Author: Faraz Vahedi AuthorDate: 2026-05-28 13:50:45 +0000 Commit: Robert Clausecker CommitDate: 2026-06-14 09:35:23 +0000 libc: Guard mergesort() allocation size arithmetic Signed-off-by: Faraz Vahedi Pull Request: https://github.com/freebsd/freebsd-src/pull/2243 Reviewed by: fuz MFC after: 1 week (cherry picked from commit 3501eec9dd39b527a46e82de53480968d283b90e) --- lib/libc/stdlib/merge.c | 16 +++++++++++----- 1 file changed, 11 insertions(+), 5 deletions(-) diff --git a/lib/libc/stdlib/merge.c b/lib/libc/stdlib/merge.c index e70938088589..e07a3947e741 100644 --- a/lib/libc/stdlib/merge.c +++ b/lib/libc/stdlib/merge.c @@ -49,6 +49,7 @@ #include #include +#include #include #include @@ -109,7 +110,7 @@ mergesort_b(void *base, size_t nmemb, size_t size, cmp_t cmp) mergesort(void *base, size_t nmemb, size_t size, cmp_t cmp) #endif { - size_t i; + size_t i, nbytes, asize; int sense; int big, iflag; u_char *f1, *f2, *t, *b, *tp2, *q, *l1, *l2; @@ -123,16 +124,21 @@ mergesort(void *base, size_t nmemb, size_t size, cmp_t cmp) if (nmemb == 0) return (0); + if (ckd_mul(&nbytes, nmemb, size) || ckd_add(&asize, nbytes, PSIZE)) { + errno = EINVAL; + return (-1); + } + iflag = 0; if (__is_aligned(size, ISIZE) && __is_aligned(base, ISIZE)) iflag = 1; - if ((list2 = malloc(nmemb * size + PSIZE)) == NULL) + if ((list2 = malloc(asize)) == NULL) return (-1); list1 = base; setup(list1, list2, nmemb, size, cmp); - last = list2 + nmemb * size; + last = list2 + nbytes; i = big = 0; while (*EVAL(list2) != last) { l2 = list1; @@ -227,10 +233,10 @@ COPY: b = t; tp2 = list1; /* swap list1, list2 */ list1 = list2; list2 = tp2; - last = list2 + nmemb*size; + last = list2 + nbytes; } if (base == list2) { - memmove(list2, list1, nmemb*size); + memmove(list2, list1, nbytes); list2 = list1; } free(list2);