From nobody Tue Feb 10 15:27:36 2026
X-Original-To: dev-commits-src-branches@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4f9QRY2Fmnz6RVb8
	for <dev-commits-src-branches@mlmmj.nyi.freebsd.org>; Tue, 10 Feb 2026 15:27:37 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mxrelay.nyi.freebsd.org", Issuer "R13" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4f9QRY0Whvz46c3
	for <dev-commits-src-branches@FreeBSD.org>; Tue, 10 Feb 2026 15:27:37 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim;
	t=1770737257;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=Yfhqdd1Bk8yu5RDkD4DkolS+nP4P8TAtslKcWfXeL6w=;
	b=u7ww3DePKMHHnCaCP4i/mocsamTLR+Mdw0aZOj3WABdUZNE9+hFGCtS4kg9pmIsKo0D6jn
	IcNP1XJIoIm7e8i3hz3HeNzHPVV+3qoNbN9OmO5Kk9V5ZYN/Zk4KeGJh6VwNhcsDsrpMwF
	bFobYcVQv7EkqwPaLtN4golTxWem3BqF46VJ2oxOrKKr6hRj0rFGvQPudrtT7Z3FzVzrW/
	OqpbrDDIBOsulKRh9tSf1yjeKlkjK9yQ8rD/FYtCEtt7ABJp29w7tY50REKkBvS+6c+mj4
	6QINpFomPmZyYkA3LCN1lEfctRTZExumNDZcFtCMzQ3oQrN/wrwJu82Ewu+gXw==
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1770737257; a=rsa-sha256; cv=none;
	b=jU76h+oQyFqldjUGvSlAFmOP9FB6YKk3j1H8VnZaWg2Gmlb7RcNnE9wGBd056gfzu64PN4
	Ib/XiMk9N7c+XPsCMiP2JervQf1+4AeTwUhHhw8tWmB3yr0zXqzJkpvEph1yZyQUVJ97uO
	xvwLtW7fwzLW1GNJejfokY1PcsfPjbN6lohJNFRYZleIwwO+pCRrdGQZzXpFdzkGRIy7Db
	iNBNm0q/nVLEJGkGSf/sxsnyCvJDukKH182qKo6EQbn5mhE+mow35FRVQmip475z7T1jJa
	5D/aJHeMxONPzmShEO+cIyP09y38H0xcpGPm2QnNozxNVuiKY8lCb0gB1D/l3w==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1770737257;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=Yfhqdd1Bk8yu5RDkD4DkolS+nP4P8TAtslKcWfXeL6w=;
	b=NLQkL4CCoMTXoylvERLhbwht2dIZzMSslhiCfavXDGS9AxPW/UXII35PUPNp+rVDrSkjxj
	UuhvWYtxBwqDK3MU477OKDAZAlGdusDdx/5+CtU0UopIJXFrTdanPg4V274KhV3VSLBFpm
	RUEVKSHgAWv2XWEjrRj1G0rKiv5C5HFo9H7NEcvXZ2p0HqJKAUmMye3/SP7hQGmrP76eUc
	46hjIFgGT6H0JwbW6IzUb5pf98A+NfKog+Jg0JYwkkx8KwjMThWyVlXjsfONHRXpgg6Zl+
	MsVUAb6gVw/qVSvM9ka6LgEWoPmJ2pS/9dTuT3sMkjx5an3jhfQmKNOW2giWNg==
Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5])
	by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4f9QRY00Cpz1NTl
	for <dev-commits-src-branches@FreeBSD.org>; Tue, 10 Feb 2026 15:27:36 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from git (uid 1279)
	(envelope-from git@FreeBSD.org)
	id 44e17
	by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org);
	Tue, 10 Feb 2026 15:27:36 +0000
To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org
From: Dag-Erling=?utf-8?Q? Sm=C3=B8rg?=rav <des@FreeBSD.org>
Subject: git: 4a30735cddad - stable/15 - diff: Fix integer overflows in Stone algorithm
List-Id: Commits to the stable branches of the FreeBSD src repository <dev-commits-src-branches.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/dev-commits-src-branches
List-Help: <mailto:dev-commits-src-branches+help@freebsd.org>
List-Post: <mailto:dev-commits-src-branches@freebsd.org>
List-Subscribe: <mailto:dev-commits-src-branches+subscribe@freebsd.org>
List-Unsubscribe: <mailto:dev-commits-src-branches+unsubscribe@freebsd.org>
X-BeenThere: dev-commits-src-branches@freebsd.org
Sender: owner-dev-commits-src-branches@FreeBSD.org
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Git-Committer: des
X-Git-Repository: src
X-Git-Refname: refs/heads/stable/15
X-Git-Reftype: branch
X-Git-Commit: 4a30735cddad592a7445d7473536f4bcdcc0e001
Auto-Submitted: auto-generated
Date: Tue, 10 Feb 2026 15:27:36 +0000
Message-Id: <698b4e68.44e17.41b9e590@gitrepo.freebsd.org>

The branch stable/15 has been updated by des:

URL: https://cgit.FreeBSD.org/src/commit/?id=4a30735cddad592a7445d7473536f4bcdcc0e001

commit 4a30735cddad592a7445d7473536f4bcdcc0e001
Author:     Dag-Erling Smørgrav <des@FreeBSD.org>
AuthorDate: 2026-02-05 14:39:43 +0000
Commit:     Dag-Erling Smørgrav <des@FreeBSD.org>
CommitDate: 2026-02-10 14:24:08 +0000

    diff: Fix integer overflows in Stone algorithm
    
    Fix integer overflows that may occur when the context window is very
    large and add tests to exercise those conditions.
    
    PR:             267032
    MFC after:      1 week
    Sponsored by:   Klara, Inc.
    Reviewed by:    thj, kevans
    Differential Revision:  https://reviews.freebsd.org/D55110
    
    (cherry picked from commit 5fc739eb5949620da911db2f87ca8faedc549d3a)
---
 usr.bin/diff/diffreg.c          | 32 +++++++++++++++++++++-----------
 usr.bin/diff/tests/diff_test.sh | 33 +++++++++++++++++++++++++++++++++
 2 files changed, 54 insertions(+), 11 deletions(-)

diff --git a/usr.bin/diff/diffreg.c b/usr.bin/diff/diffreg.c
index ffa5568bf442..91ae5ee6591a 100644
--- a/usr.bin/diff/diffreg.c
+++ b/usr.bin/diff/diffreg.c
@@ -77,6 +77,7 @@
 #include <paths.h>
 #include <regex.h>
 #include <stdbool.h>
+#include <stdckdint.h>
 #include <stddef.h>
 #include <stdint.h>
 #include <stdio.h>
@@ -1056,7 +1057,7 @@ change(char *file1, FILE *f1, char *file2, FILE *f2, int a, int b, int c, int d,
 {
 	static size_t max_context = 64;
 	long curpos;
-	int i, nc;
+	int dist, i, nc;
 	const char *walk;
 	bool skip_blanks, ignore;
 
@@ -1120,8 +1121,9 @@ proceed:
 			 */
 			print_header(file1, file2);
 			anychange = 1;
-		} else if (a > context_vec_ptr->b + (2 * diff_context) + 1 &&
-		    c > context_vec_ptr->d + (2 * diff_context) + 1) {
+		} else if (!ckd_add(&dist, diff_context, diff_context) &&
+		    a - context_vec_ptr->b - 1 > dist &&
+		    c - context_vec_ptr->d - 1 > dist) {
 			/*
 			 * If this change is more than 'diff_context' lines from the
 			 * previous change, dump the record and reset it.
@@ -1506,10 +1508,14 @@ dump_context_vec(FILE *f1, FILE *f2, int flags)
 		return;
 
 	b = d = 0;		/* gcc */
-	lowa = MAX(1, cvp->a - diff_context);
-	upb = MIN((int)len[0], context_vec_ptr->b + diff_context);
-	lowc = MAX(1, cvp->c - diff_context);
-	upd = MIN((int)len[1], context_vec_ptr->d + diff_context);
+	if (ckd_sub(&lowa, cvp->a, diff_context) || lowa < 1)
+		lowa = 1;
+	if (ckd_add(&upb, context_vec_ptr->b, diff_context) || upb > (int)len[0])
+		upb = (int)len[0];
+	if (ckd_sub(&lowc, cvp->c, diff_context) || lowc < 1)
+		lowc = 1;
+	if (ckd_add(&upd, context_vec_ptr->d, diff_context) || upd > (int)len[1])
+		upd = (int)len[1];
 
 	printf("***************");
 	if (flags & (D_PROTOTYPE | D_MATCHLAST)) {
@@ -1609,10 +1615,14 @@ dump_unified_vec(FILE *f1, FILE *f2, int flags)
 		return;
 
 	b = d = 0;		/* gcc */
-	lowa = MAX(1, cvp->a - diff_context);
-	upb = MIN((int)len[0], context_vec_ptr->b + diff_context);
-	lowc = MAX(1, cvp->c - diff_context);
-	upd = MIN((int)len[1], context_vec_ptr->d + diff_context);
+	if (ckd_sub(&lowa, cvp->a, diff_context) || lowa < 1)
+		lowa = 1;
+	if (ckd_add(&upb, context_vec_ptr->b, diff_context) || upb > (int)len[0])
+		upb = (int)len[0];
+	if (ckd_sub(&lowc, cvp->c, diff_context) || lowc < 1)
+		lowc = 1;
+	if (ckd_add(&upd, context_vec_ptr->d, diff_context) || upd > (int)len[1])
+		upd = (int)len[1];
 
 	printf("@@ -");
 	uni_range(lowa, upb);
diff --git a/usr.bin/diff/tests/diff_test.sh b/usr.bin/diff/tests/diff_test.sh
index 691b649813a1..89348d3a8b16 100755
--- a/usr.bin/diff/tests/diff_test.sh
+++ b/usr.bin/diff/tests/diff_test.sh
@@ -24,6 +24,7 @@ atf_test_case functionname
 atf_test_case noderef
 atf_test_case ignorecase
 atf_test_case dirloop
+atf_test_case verylong
 
 simple_body()
 {
@@ -380,6 +381,36 @@ dirloop_body()
 	    diff -r a b
 }
 
+bigc_head()
+{
+	atf_set "descr" "Context diff with very large context"
+}
+bigc_body()
+{
+	echo $'x\na\ny' >a
+	echo $'x\nb\ny' >b
+	atf_check -s exit:2 -e ignore diff -C$(((1<<31)-1)) a b
+	atf_check -s exit:1 -o match:'--- 1,3 ---' \
+	    diff -C$(((1<<31)-2)) a b
+	atf_check -s exit:1 -o match:'--- 1,3 ---' \
+	    diff -Astone -C$(((1<<31)-2)) a b
+}
+
+bigu_head()
+{
+	atf_set "descr" "Unified diff with very large context"
+}
+bigu_body()
+{
+	echo $'x\na\ny' >a
+	echo $'x\nb\ny' >b
+	atf_check -s exit:2 -e ignore diff -U$(((1<<31)-1)) a b
+	atf_check -s exit:1 -o match:'^@@ -1,3 \+1,3 @@$' \
+	    diff -U$(((1<<31)-2)) a b
+	atf_check -s exit:1 -o match:'^@@ -1,3 \+1,3 @@$' \
+	    diff -Astone -U$(((1<<31)-2)) a b
+}
+
 atf_init_test_cases()
 {
 	atf_add_test_case simple
@@ -407,4 +438,6 @@ atf_init_test_cases()
 	atf_add_test_case noderef
 	atf_add_test_case ignorecase
 	atf_add_test_case dirloop
+	atf_add_test_case bigc
+	atf_add_test_case bigu
 }