tyler.durden
/
openssh-portable
mirror of https://github.com/PowerShell/openssh-portable.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

- djm@cvs.openbsd.org 2011/01/12 01:53:14 

avoid some integer overflows mostly with GLOB_APPEND and GLOB_DOOFFS
     and sanity check arguments (these will be unnecessary when we switch
     struct glob members from being type into to size_t in the future);
     "looks ok" tedu@ feedback guenther@
This commit is contained in:
Damien Miller 2011-01-12 13:32:03 +11:00
parent b66e917831
commit 4927aaf446
2 changed files with 17 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
ChangeLog
View File

@ -8,6 +8,11 @@
resource limits. resource limits.
Idea from a similar NetBSD change, original problem reported by jasper@. Idea from a similar NetBSD change, original problem reported by jasper@.
ok millert tedu jasper ok millert tedu jasper
- djm@cvs.openbsd.org 2011/01/12 01:53:14
avoid some integer overflows mostly with GLOB_APPEND and GLOB_DOOFFS
and sanity check arguments (these will be unnecessary when we switch
struct glob members from being type into to size_t in the future);
"looks ok" tedu@ feedback guenther@
20110111 20110111
- (tim) [regress/host-expand.sh] Fix for building outside of read only - (tim) [regress/host-expand.sh] Fix for building outside of read only

16
openbsd-compat/glob.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: glob.c,v 1.34 2010/10/08 21:48:42 nicm Exp $ */ /* $OpenBSD: glob.c,v 1.35 2011/01/12 01:53:14 djm Exp $ */
/* /*
* Copyright (c) 1989, 1993 * Copyright (c) 1989, 1993
* The Regents of the University of California. All rights reserved. * The Regents of the University of California. All rights reserved.
@ -184,6 +184,11 @@ glob(const char *pattern, int flags, int (*errfunc)(const char *, int),
pglob->gl_errfunc = errfunc; pglob->gl_errfunc = errfunc;
pglob->gl_matchc = 0; pglob->gl_matchc = 0;
if (pglob->gl_offs < 0 || pglob->gl_pathc < 0 ||
pglob->gl_offs >= INT_MAX || pglob->gl_pathc >= INT_MAX ||
pglob->gl_pathc >= INT_MAX - pglob->gl_offs - 1)
return GLOB_NOSPACE;
bufnext = patbuf; bufnext = patbuf;
bufend = bufnext + MAXPATHLEN - 1; bufend = bufnext + MAXPATHLEN - 1;
if (flags & GLOB_NOESCAPE) if (flags & GLOB_NOESCAPE)
@ -752,10 +757,13 @@ globextend(const Char *path, glob_t *pglob, struct glob_lim *limitp,
struct stat **statv; struct stat **statv;
newn = 2 + pglob->gl_pathc + pglob->gl_offs; newn = 2 + pglob->gl_pathc + pglob->gl_offs;
if (SIZE_MAX / sizeof(*pathv) <= newn || if (pglob->gl_offs >= INT_MAX ||
pglob->gl_pathc >= INT_MAX ||
newn >= INT_MAX ||
SIZE_MAX / sizeof(*pathv) <= newn ||
SIZE_MAX / sizeof(*statv) <= newn) { SIZE_MAX / sizeof(*statv) <= newn) {
nospace: nospace:
for (i = pglob->gl_offs; i < newn - 2; i++) { for (i = pglob->gl_offs; i < (ssize_t)(newn - 2); i++) {
if (pglob->gl_pathv && pglob->gl_pathv[i]) if (pglob->gl_pathv && pglob->gl_pathv[i])
free(pglob->gl_pathv[i]); free(pglob->gl_pathv[i]);
if ((pglob->gl_flags & GLOB_KEEPSTAT) != 0 && if ((pglob->gl_flags & GLOB_KEEPSTAT) != 0 &&
@ -870,7 +878,7 @@ match(Char *name, Char *pat, Char *patend)
++pat; ++pat;
while (((c = *pat++) & M_MASK) != M_END) { while (((c = *pat++) & M_MASK) != M_END) {
if ((c & M_MASK) == M_CLASS) { if ((c & M_MASK) == M_CLASS) {
int idx = *pat & M_MASK; Char idx = *pat & M_MASK;
if (idx < NCCLASSES && if (idx < NCCLASSES &&
cclasses[idx].isctype(k)) cclasses[idx].isctype(k))
ok = 1; ok = 1;