Author: emaste
Date: Thu Oct 3 13:02:04 2019
New Revision: 353043
URL: https://svnweb.freebsd.org/changeset/base/353043
Log:
MFC r352742: bspatch: add integer overflow checks
Introduce a new add_off_t static function that exits with an error
message if there's an overflow, otherwise returns their sum. Use this
when adding values obtained from the input patch.
Sponsored by: The FreeBSD Foundation
Modified:
stable/12/usr.bin/bsdiff/bspatch/bspatch.c
Directory Properties:
stable/12/ (props changed)
Modified: stable/12/usr.bin/bsdiff/bspatch/bspatch.c
==============================================================================
--- stable/12/usr.bin/bsdiff/bspatch/bspatch.c Thu Oct 3 12:51:57 2019
(r353042)
+++ stable/12/usr.bin/bsdiff/bspatch/bspatch.c Thu Oct 3 13:02:04 2019
(r353043)
@@ -62,6 +62,23 @@ exit_cleanup(void)
warn("unlinkat");
}
+static inline off_t
+add_off_t(off_t a, off_t b)
+{
+ off_t result;
+
+#if __GNUC__ >= 5 || \
+ (defined(__has_builtin) && __has_builtin(__builtin_add_overflow))
+ if (__builtin_add_overflow(a, b, &result))
+ errx(1, "Corrupt patch");
+#else
+ if ((b > 0 && a > OFF_MAX - b) || (b < 0 && a < OFF_MIN - b))
+ errx(1, "Corrupt patch");
+ result = a + b;
+#endif
+ return result;
+}
+
static off_t offtin(u_char *buf)
{
off_t y;
@@ -204,12 +221,12 @@ int main(int argc, char *argv[])
err(1, "fseeko(%s, %jd)", argv[3], (intmax_t)offset);
if ((cpfbz2 = BZ2_bzReadOpen(&cbz2err, cpf, 0, 0, NULL, 0)) == NULL)
errx(1, "BZ2_bzReadOpen, bz2err = %d", cbz2err);
- offset += bzctrllen;
+ offset = add_off_t(offset, bzctrllen);
if (fseeko(dpf, offset, SEEK_SET))
err(1, "fseeko(%s, %jd)", argv[3], (intmax_t)offset);
if ((dpfbz2 = BZ2_bzReadOpen(&dbz2err, dpf, 0, 0, NULL, 0)) == NULL)
errx(1, "BZ2_bzReadOpen, bz2err = %d", dbz2err);
- offset += bzdatalen;
+ offset = add_off_t(offset, bzdatalen);
if (fseeko(epf, offset, SEEK_SET))
err(1, "fseeko(%s, %jd)", argv[3], (intmax_t)offset);
if ((epfbz2 = BZ2_bzReadOpen(&ebz2err, epf, 0, 0, NULL, 0)) == NULL)
@@ -243,7 +260,7 @@ int main(int argc, char *argv[])
errx(1, "Corrupt patch");
/* Sanity-check */
- if (newpos + ctrl[0] > newsize)
+ if (add_off_t(newpos, ctrl[0]) > newsize)
errx(1, "Corrupt patch");
/* Read diff string */
@@ -254,15 +271,15 @@ int main(int argc, char *argv[])
/* Add old data to diff string */
for (i = 0; i < ctrl[0]; i++)
- if ((oldpos + i >= 0) && (oldpos + i < oldsize))
+ if (add_off_t(oldpos, i) < oldsize)
new[newpos + i] += old[oldpos + i];
/* Adjust pointers */
- newpos += ctrl[0];
- oldpos += ctrl[0];
+ newpos = add_off_t(newpos, ctrl[0]);
+ oldpos = add_off_t(oldpos, ctrl[0]);
/* Sanity-check */
- if (newpos + ctrl[1] > newsize)
+ if (add_off_t(newpos, ctrl[1]) > newsize)
errx(1, "Corrupt patch");
/* Read extra string */
@@ -272,8 +289,8 @@ int main(int argc, char *argv[])
errx(1, "Corrupt patch");
/* Adjust pointers */
- newpos+=ctrl[1];
- oldpos+=ctrl[2];
+ newpos = add_off_t(newpos, ctrl[1]);
+ oldpos = add_off_t(oldpos, ctrl[2]);
}
/* Clean up the bzip2 reads */
_______________________________________________
svn-src-all@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"
