From nobody Thu Aug 01 16:46:58 2024 X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4WZZcf42Xnz5T3H6; Thu, 01 Aug 2024 16:46:58 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R11" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4WZZcf1hYKz4n7r; Thu, 1 Aug 2024 16:46:58 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1722530818; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=vCD7Zlialsq9M0AjRyXeu7R6M2dbi6toK6kc112ISnU=; b=h2apHqto7fWwxlRCKl8NaVThpZCPCQzT+7Xx9YCEaEsgGt4xI4sDH6wB3L3MieYlCoFjmN Yk2AUZetvhxpQNVvsQS89HVX2I/XXn6HsSXiknCDvIc2PpKJHWcTAU/37oI/4MVq1nctcr lDY1bqh7mruEymIDOz2fdSnqH5Ri1foaB4OOJ4GmvtKq1nyw6lJLw86bkCwo70UKiGbsnx xux0KGr7B1vYsCD8uS0wa43vwL1S0mSVHaIDPKsbec4PCpWlhQssY+vNgW5hA05mFJP78Q zDQ34UVJV5DDYqTkVueyBXux105qpFbLbjgv9Dxteb52dasop9yca0rY1qnXfA== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1722530818; a=rsa-sha256; cv=none; b=JlF0fIYSL4X2DeF7DggZYFpS0UE/R7ZtF83ryDIGfVhe3Tj9BEXc9Fpg7MN3FfuYxqFZ2+ Q3KyNqRCbRvUDxisKF3dNquG4kOiePmSUuUmztEkvOtIYdB3KrqWdg2+5DNLlavDOKypuP /RgmExif71uuD7AW83I60V8f0rlbMefMmsTlfnf1KIsanOfkmrIu+7EDw99p+REuU6fpyo E8q5+aIttADfiIeyNemvSK0w+1VGwQAJAu364OwX0lELs2PJcK9r2aYfCOd0Dxmn+e3HHr zjZzv1aeEWSjKbW1w7FvUS5DhVbgU+FUnQMwq1nspTOLR/q/pgw+JeCnvYeYuA== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1722530818; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=vCD7Zlialsq9M0AjRyXeu7R6M2dbi6toK6kc112ISnU=; b=tMTGs4BKb7ivxCiE4Ufji6O8hSuR+J04gNWnzFQ2BGEkGh9Hp0GIn/rWIuyIGIJY0fW2Pj kwnauiIAGmldPulroIKfFTZ8MgX+J4veK4ssGcVSCWlizRkxK5fP2zmopfwNYrLz/7NsJ7 VZSVDuTu0+vXQIkYyrkWVciIGm8QGO8px3h72dxTLHjzAbPnf61+HSqSZRROp0N5ij2HpJ SMAo93c499kE6m1/cYGDOCRMaSirNJTAY+K+34VMTGJC9Eyz4zvBRVnOlOKd/Ok9IWc2nb fAsJFvsgZVnemq3WfijTJc4tLq4WAEgW9wmWHMFch8E4ItGm+/XjQGuRlZ+jYA== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4WZZcf1Ftszrnt; Thu, 1 Aug 2024 16:46:58 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.18.1/8.18.1) with ESMTP id 471GkwEg046696; Thu, 1 Aug 2024 16:46:58 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.18.1/8.18.1/Submit) id 471GkwrN046693; Thu, 1 Aug 2024 16:46:58 GMT (envelope-from git) Date: Thu, 1 Aug 2024 16:46:58 GMT Message-Id: <202408011646.471GkwrN046693@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Dag-Erling =?utf-8?Q?Sm=C3=B8rgrav?= Subject: git: c14665b4aee7 - stable/13 - diff: Fix integer overflow. List-Id: Commit messages for all branches of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-all@freebsd.org Sender: owner-dev-commits-src-all@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: des X-Git-Repository: src X-Git-Refname: refs/heads/stable/13 X-Git-Reftype: branch X-Git-Commit: c14665b4aee7e1594467bac4a9d9cc5c66173975 Auto-Submitted: auto-generated The branch stable/13 has been updated by des: URL: https://cgit.FreeBSD.org/src/commit/?id=c14665b4aee7e1594467bac4a9d9cc5c66173975 commit c14665b4aee7e1594467bac4a9d9cc5c66173975 Author: Dag-Erling Smørgrav AuthorDate: 2024-07-29 14:02:29 +0000 Commit: Dag-Erling Smørgrav CommitDate: 2024-08-01 16:46:19 +0000 diff: Fix integer overflow. The legacy Stone algorithm uses `int` to represent line numbers, array indices, and array lengths. If given inputs approaching `INT_MAX` lines, it would overflow and attempt to allocate ridiculously large amounts of memory. To avoid this without penalizing non-pathological inputs, switch a few variables to `size_t` and add checks while and immediately after reading both inputs. MFC after: 3 days PR: 280371 Sponsored by: Klara, Inc. Reviewed by: allanjude Differential Revision: https://reviews.freebsd.org/D46169 (cherry picked from commit 9317242469f1ca682626d9806f8caf65d143c09a) --- usr.bin/diff/diffreg.c | 45 ++++++++++++++++++++++++--------------------- 1 file changed, 24 insertions(+), 21 deletions(-) diff --git a/usr.bin/diff/diffreg.c b/usr.bin/diff/diffreg.c index a73020c44a80..fb01fa24a281 100644 --- a/usr.bin/diff/diffreg.c +++ b/usr.bin/diff/diffreg.c @@ -217,9 +217,9 @@ static int *klist; /* will be overlaid on file[0] after class */ static int *member; /* will be overlaid on file[1] */ static int clen; static int inifdef; /* whether or not we are in a #ifdef block */ -static int len[2]; -static int pref, suff; /* length of prefix and suffix */ -static int slen[2]; +static size_t len[2]; /* lengths of files in lines */ +static size_t pref, suff; /* lengths of prefix and suffix */ +static size_t slen[2]; /* lengths of files minus pref / suff */ static int anychange; static int hw, padding; /* half width and padding */ static int edoffset; @@ -391,6 +391,10 @@ diffreg(char *file1, char *file2, int flags, int capsicum) status |= 1; goto closem; } + if (len[0] > INT_MAX - 2) + errc(1, EFBIG, "%s", file1); + if (len[1] > INT_MAX - 2) + errc(1, EFBIG, "%s", file2); prune(); sort(sfile[0], slen[0]); @@ -529,18 +533,17 @@ prepare(int i, FILE *fd, size_t filesize, int flags) sz = 100; p = xcalloc(sz + 3, sizeof(*p)); - while ((r = readhash(fd, flags, &h)) != RH_EOF) - switch (r) { - case RH_EOF: /* otherwise clang complains */ - case RH_BINARY: + while ((r = readhash(fd, flags, &h)) != RH_EOF) { + if (r == RH_BINARY) return (false); - case RH_OK: - if (j == sz) { - sz = sz * 3 / 2; - p = xreallocarray(p, sz + 3, sizeof(*p)); - } - p[++j].value = h; + if (j == SIZE_MAX) + break; + if (j == sz) { + sz = sz * 3 / 2; + p = xreallocarray(p, sz + 3, sizeof(*p)); } + p[++j].value = h; + } len[i] = j; file[i] = p; @@ -551,7 +554,7 @@ prepare(int i, FILE *fd, size_t filesize, int flags) static void prune(void) { - int i, j; + size_t i, j; for (pref = 0; pref < len[0] && pref < len[1] && file[0][pref + 1].value == file[1][pref + 1].value; @@ -708,7 +711,7 @@ static void unravel(int p) { struct cand *q; - int i; + size_t i; for (i = 0; i <= len[0]; i++) J[i] = i <= pref ? i : @@ -735,7 +738,7 @@ check(FILE *f1, FILE *f2, int flags) ixold[0] = ixnew[0] = 0; jackpot = 0; ctold = ctnew = 0; - for (i = 1; i <= len[0]; i++) { + for (i = 1; i <= (int)len[0]; i++) { if (J[i] == 0) { ixold[i] = ctold += skipline(f1); continue; @@ -835,7 +838,7 @@ check(FILE *f1, FILE *f2, int flags) ixnew[j] = ctnew; j++; } - for (; j <= len[1]; j++) { + for (; j <= (int)len[1]; j++) { ixnew[j] = ctnew += skipline(f2); } /* @@ -1488,9 +1491,9 @@ dump_context_vec(FILE *f1, FILE *f2, int flags) b = d = 0; /* gcc */ lowa = MAX(1, cvp->a - diff_context); - upb = MIN(len[0], context_vec_ptr->b + diff_context); + upb = MIN((int)len[0], context_vec_ptr->b + diff_context); lowc = MAX(1, cvp->c - diff_context); - upd = MIN(len[1], context_vec_ptr->d + diff_context); + upd = MIN((int)len[1], context_vec_ptr->d + diff_context); printf("***************"); if ((flags & D_PROTOTYPE)) { @@ -1591,9 +1594,9 @@ dump_unified_vec(FILE *f1, FILE *f2, int flags) b = d = 0; /* gcc */ lowa = MAX(1, cvp->a - diff_context); - upb = MIN(len[0], context_vec_ptr->b + diff_context); + upb = MIN((int)len[0], context_vec_ptr->b + diff_context); lowc = MAX(1, cvp->c - diff_context); - upd = MIN(len[1], context_vec_ptr->d + diff_context); + upd = MIN((int)len[1], context_vec_ptr->d + diff_context); printf("@@ -"); uni_range(lowa, upb);