From fab4b61ecb5b09be18208a5e7896d344b7536089 Mon Sep 17 00:00:00 2001
From: ache <ache@FreeBSD.org>
Date: Sun, 8 Nov 2015 14:22:57 +0000
Subject: MFC: r290329,r290336 PR: 204230

r290329:

Use meaningful errno for ssize_t overflow in read().
Catch size_t overflow in malloc().

r290336:

Check for (old|new)size + 1 overflows off_t.
---
 usr.bin/bsdiff/bsdiff/bsdiff.c | 28 ++++++++++++++++++++++++----
 1 file changed, 24 insertions(+), 4 deletions(-)

(limited to 'usr.bin')

diff --git a/usr.bin/bsdiff/bsdiff/bsdiff.c b/usr.bin/bsdiff/bsdiff/bsdiff.c
index 8b764da..fe7da7c 100644
--- a/usr.bin/bsdiff/bsdiff/bsdiff.c
+++ b/usr.bin/bsdiff/bsdiff/bsdiff.c
@@ -31,7 +31,10 @@ __FBSDID("$FreeBSD$");
 
 #include <bzlib.h>
 #include <err.h>
+#include <errno.h>
 #include <fcntl.h>
+#include <limits.h>
+#include <stdint.h>
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
@@ -221,8 +224,17 @@ int main(int argc,char *argv[])
 	/* Allocate oldsize+1 bytes instead of oldsize bytes to ensure
 		that we never try to malloc(0) and get a NULL pointer */
 	if(((fd=open(argv[1],O_RDONLY|O_BINARY,0))<0) ||
-		((oldsize=lseek(fd,0,SEEK_END))==-1) ||
-		((old=malloc(oldsize+1))==NULL) ||
+	    ((oldsize=lseek(fd,0,SEEK_END))==-1))
+		err(1, "%s", argv[1]);
+
+	if (oldsize > SSIZE_MAX ||
+	    (uintmax_t)oldsize >= SIZE_T_MAX / sizeof(off_t) ||
+	    oldsize == OFF_MAX) {
+		errno = EFBIG;
+		err(1, "%s", argv[1]);
+	}
+
+	if (((old=malloc(oldsize+1))==NULL) ||
 		(lseek(fd,0,SEEK_SET)!=0) ||
 		(read(fd,old,oldsize)!=oldsize) ||
 		(close(fd)==-1)) err(1,"%s",argv[1]);
@@ -237,8 +249,16 @@ int main(int argc,char *argv[])
 	/* Allocate newsize+1 bytes instead of newsize bytes to ensure
 		that we never try to malloc(0) and get a NULL pointer */
 	if(((fd=open(argv[2],O_RDONLY|O_BINARY,0))<0) ||
-		((newsize=lseek(fd,0,SEEK_END))==-1) ||
-		((new=malloc(newsize+1))==NULL) ||
+	    ((newsize=lseek(fd,0,SEEK_END))==-1))
+		err(1, "%s", argv[2]);
+
+	if (newsize > SSIZE_MAX || (uintmax_t)newsize >= SIZE_T_MAX ||
+	    newsize == OFF_MAX) {
+		errno = EFBIG;
+		err(1, "%s", argv[2]);
+	}
+
+	if (((new=malloc(newsize+1))==NULL) ||
 		(lseek(fd,0,SEEK_SET)!=0) ||
 		(read(fd,new,newsize)!=newsize) ||
 		(close(fd)==-1)) err(1,"%s",argv[2]);
-- 
cgit v1.1