FreeBSD Bugzilla – Attachment 149982 Details for
Bug 195436
patch utility, line number overflows checks
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
[patch]
Proposed patch
patch-patch.diff (text/plain), 6.38 KB, created by
David CARLIER
on 2014-11-29 09:11:24 UTC
(
hide
)
Description:
Proposed patch
Filename:
MIME Type:
Creator:
David CARLIER
Created:
2014-11-29 09:11:24 UTC
Size:
6.38 KB
patch
obsolete
>diff --git a/usr.bin/patch/common.h b/usr.bin/patch/common.h >index a6da179..41b7ff4 100644 >--- a/usr.bin/patch/common.h >+++ b/usr.bin/patch/common.h >@@ -23,7 +23,7 @@ > * -C option added in 1998, original code by Marc Espie, based on FreeBSD > * behaviour > * >- * $OpenBSD: common.h,v 1.26 2006/03/11 19:41:30 otto Exp $ >+ * $OpenBSD: common.h,v 1.28 2014/11/25 10:26:07 tobias Exp $ > * $FreeBSD$ > */ > >@@ -40,6 +40,7 @@ > #define INITHUNKMAX 125 /* initial dynamic allocation size */ > #define INITLINELEN 4096 > #define BUFFERSIZE 4096 >+#define LINENUM_MAX LONG_MAX > > #define SCCSPREFIX "s." > #define GET "get -e %s" >diff --git a/usr.bin/patch/pch.c b/usr.bin/patch/pch.c >index d9c4b3d..076e822 100644 >--- a/usr.bin/patch/pch.c >+++ b/usr.bin/patch/pch.c >@@ -24,7 +24,7 @@ > * -C option added in 1998, original code by Marc Espie, based on FreeBSD > * behaviour > * >- * $OpenBSD: pch.c,v 1.39 2012/04/11 08:07:13 ajacoutot Exp $ >+ * $OpenBSD: pch.c,v 1.46 2014/11/26 10:11:21 tobias Exp $ > * $FreeBSD$ > */ > >@@ -38,6 +38,7 @@ > #include <stdlib.h> > #include <string.h> > #include <unistd.h> >+#include <errno.h> > > #include "common.h" > #include "util.h" >@@ -589,7 +590,10 @@ another_hunk(void) > malformed(); > if (strnEQ(s, "0,0", 3)) > memmove(s, s + 2, strlen(s + 2) + 1); >- p_first = (LINENUM) atol(s); >+ p_first = (LINENUM) strtol(s, 0, 0); >+ if (errno == ERANGE) >+ fatal("at line %ld: bad line number %s", >+ p_input_line, s); > while (isdigit((unsigned char)*s)) > s++; > if (*s == ',') { >@@ -597,7 +601,11 @@ another_hunk(void) > ; > if (!*s) > malformed(); >- p_ptrn_lines = ((LINENUM) atol(s)) - p_first + 1; >+ p_ptrn_lines = ((LINENUM) strtol(s, 0, >+ 0)) - p_first + 1; >+ if (errno == ERANGE) >+ fatal("at line %ld: bad line number %s", >+ p_input_line, s); > } else if (p_first) > p_ptrn_lines = 1; > else { >@@ -605,6 +613,9 @@ another_hunk(void) > p_first = 1; > } > >+ if (p_first >= LINENUM_MAX - p_ptrn_lines || >+ p_ptrn_lines >= LINENUM_MAX - 6) >+ malformed(); > /* we need this much at least */ > p_max = p_ptrn_lines + 6; > while (p_max >= hunkmax) >@@ -656,7 +667,10 @@ another_hunk(void) > ; > if (!*s) > malformed(); >- p_newfirst = (LINENUM) atol(s); >+ p_newfirst = (LINENUM) strtol(s, 0, 0); >+ if (errno == ERANGE) >+ fatal("at line %ld: bad line number %s", >+ p_input_line, s); > while (isdigit((unsigned char)*s)) > s++; > if (*s == ',') { >@@ -664,14 +678,21 @@ another_hunk(void) > ; > if (!*s) > malformed(); >- p_repl_lines = ((LINENUM) atol(s)) - >- p_newfirst + 1; >+ p_repl_lines = ((LINENUM) strtol(s, 0, >+ 0)) - p_newfirst + 1; >+ if (errno == ERANGE) >+ fatal("at line %ld: bad line number %s", >+ p_input_line, s); > } else if (p_newfirst) > p_repl_lines = 1; > else { > p_repl_lines = 0; > p_newfirst = 1; > } >+ >+ if (p_newfirst >= LINENUM_MAX - p_repl_lines || >+ p_repl_lines >= LINENUM_MAX - p_end) >+ malformed(); > p_max = p_repl_lines + p_end; > if (p_max > MAXHUNKSIZE) > fatal("hunk too large (%ld lines) at line %ld: %s", >@@ -864,11 +885,17 @@ hunk_done: > s = buf + 4; > if (!*s) > malformed(); >- p_first = (LINENUM) atol(s); >+ p_first = (LINENUM) strtol(s, 0, 0); >+ if (errno == ERANGE) >+ fatal("at line %ld: bad line number %s", >+ p_input_line, s); > while (isdigit((unsigned char)*s)) > s++; > if (*s == ',') { >- p_ptrn_lines = (LINENUM) atol(++s); >+ p_ptrn_lines = (LINENUM) strtol(++s, 0, 0); >+ if (errno == ERANGE) >+ fatal("at line %ld: bad line number %s", >+ p_input_line, s); > while (isdigit((unsigned char)*s)) > s++; > } else >@@ -877,11 +904,17 @@ hunk_done: > s++; > if (*s != '+' || !*++s) > malformed(); >- p_newfirst = (LINENUM) atol(s); >+ p_newfirst = (LINENUM) strtol(s, 0, 0); >+ if (errno == ERANGE) >+ fatal("at line %ld: bad line number %s", >+ p_input_line, s); > while (isdigit((unsigned char)*s)) > s++; > if (*s == ',') { >- p_repl_lines = (LINENUM) atol(++s); >+ p_repl_lines = (LINENUM) strtol(++s, 0, 0); >+ if (errno == ERANGE) >+ fatal("at line %ld: bad line number %s", >+ p_input_line, s); > while (isdigit((unsigned char)*s)) > s++; > } else >@@ -890,6 +923,10 @@ hunk_done: > s++; > if (*s != '@') > malformed(); >+ if (p_first >= LINENUM_MAX - p_ptrn_lines || >+ p_newfirst > LINENUM_MAX - p_repl_lines || >+ p_ptrn_lines >= LINENUM_MAX - p_repl_lines - 1) >+ malformed(); > if (!p_ptrn_lines) > p_first++; /* do append rather than insert */ > p_max = p_ptrn_lines + p_repl_lines + 1; >@@ -1029,35 +1066,52 @@ hunk_done: > next_intuit_at(line_beginning, p_input_line); > return false; > } >- p_first = (LINENUM) atol(buf); >+ p_first = (LINENUM) strtol(buf, 0, 0); >+ if (errno == ERANGE) >+ fatal("at line %ld: bad line number %s", >+ p_input_line, buf); > for (s = buf; isdigit((unsigned char)*s); s++) > ; > if (*s == ',') { >- p_ptrn_lines = (LINENUM) atol(++s) - p_first + 1; >+ p_ptrn_lines = (LINENUM) strtol(++s, 0, >+ 0) - p_first + 1; >+ if (errno == ERANGE) >+ malformed(); > while (isdigit((unsigned char)*s)) > s++; > } else > p_ptrn_lines = (*s != 'a'); >+ if (p_first >= LINENUM_MAX - p_ptrn_lines) >+ malformed(); > hunk_type = *s; > if (hunk_type == 'a') > p_first++; /* do append rather than insert */ >- min = (LINENUM) atol(++s); >+ min = (LINENUM) strtol(++s, 0, 0); >+ if (errno == ERANGE) >+ malformed(); > for (; isdigit((unsigned char)*s); s++) > ; >- if (*s == ',') >- max = (LINENUM) atol(++s); >- else >+ if (*s == ',') { >+ max = (LINENUM) strtol(++s, 0, 0); >+ if (errno == ERANGE) >+ malformed(); >+ } else > max = min; >+ if (min < 0 || min > max || max - min == LINENUM_MAX) >+ malformed(); > if (hunk_type == 'd') > min++; >- p_end = p_ptrn_lines + 1 + max - min + 1; >+ p_newfirst = min; >+ p_repl_lines = max - min + 1; >+ if (p_newfirst > LINENUM_MAX - p_repl_lines || >+ p_ptrn_lines >= LINENUM_MAX - p_repl_lines - 1) >+ malformed(); >+ p_end = p_ptrn_lines + p_repl_lines + 1; > if (p_end > MAXHUNKSIZE) > fatal("hunk too large (%ld lines) at line %ld: %s", > p_end, p_input_line, buf); > while (p_end >= hunkmax) > grow_hunkmax(); >- p_newfirst = min; >- p_repl_lines = max - min + 1; > snprintf(buf, buf_size, "*** %ld,%ld\n", p_first, > p_first + p_ptrn_lines - 1); > p_line[0] = savestr(buf);
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 195436
:
149926
|
149941
|
149982
|
150316
|
150320