Created attachment 164966 [details]
malloc + read in a loop -> mmap
The current code for reading in the bootcode from a file has a few problems.
408: if lseek(2) fails, bootsize underflows to SIZE_T_MAX, making the resulting allocation dangerous
409: if malloc(3) fails, we end up with a null pointer deref later
413: if read(2) fails, the installer will hang trying to read(2) boot loader code
I've replaced this with a call to mmap(2), which will give us what we want, and also contains more error-handling if something goes wrong.
Tested on FreeBSD 10.2-STABLE on amd64.