[packages/cvs-nserver.git] / cvs-nserver-CAN-2004-0416-0417-0418.patch

diff -urN cvs-nserver-1.11.1.52.org/acinclude.m4 cvs-nserver-1.11.1.52/acinclude.m4
--- cvs-nserver-1.11.1.52.org/acinclude.m4	2004-06-11 15:13:22.806441712 +0200
+++ cvs-nserver-1.11.1.52/acinclude.m4	2004-06-11 15:14:12.949818760 +0200
@@ -229,3 +229,85 @@
   AC_SEARCH_LIBS([gss_import_name], [gssapi_krb5 gssapi])
 fi
 ])dnl
+
+
+
+# size_max.m4 serial 2
+dnl Copyright (C) 2003 Free Software Foundation, Inc.
+dnl This file is free software, distributed under the terms of the GNU
+dnl General Public License.  As a special exception to the GNU General
+dnl Public License, this file may be distributed as part of a program
+dnl that contains a configuration script generated by Autoconf, under
+dnl the same distribution terms as the rest of that program.
+
+dnl From Bruno Haible.
+
+AC_DEFUN([gl_SIZE_MAX],
+[
+  AC_CHECK_HEADERS(stdint.h)
+  dnl First test whether the system already has SIZE_MAX.
+  AC_MSG_CHECKING([for SIZE_MAX])
+  result=
+  AC_EGREP_CPP([Found it], [
+#include <limits.h>
+#if HAVE_STDINT_H
+#include <stdint.h>
+#endif
+#ifdef SIZE_MAX
+Found it
+#endif
+], result=yes)
+  if test -z "$result"; then
+    dnl Define it ourselves. Here we assume that the type 'size_t' is not wider
+    dnl than the type 'unsigned long'.
+    dnl The _AC_COMPUTE_INT macro works up to LONG_MAX, since it uses 'expr',
+    dnl which is guaranteed to work from LONG_MIN to LONG_MAX.
+    _AC_COMPUTE_INT([~(size_t)0 / 10], res_hi,
+      [#include <stddef.h>], result=?)
+    _AC_COMPUTE_INT([~(size_t)0 % 10], res_lo,
+      [#include <stddef.h>], result=?)
+    _AC_COMPUTE_INT([sizeof (size_t) <= sizeof (unsigned int)], fits_in_uint,
+      [#include <stddef.h>], result=?)
+    if test "$fits_in_uint" = 1; then
+      dnl Even though SIZE_MAX fits in an unsigned int, it must be of type
+      dnl 'unsigned long' if the type 'size_t' is the same as 'unsigned long'.
+      AC_TRY_COMPILE([#include <stddef.h>
+        extern size_t foo;
+        extern unsigned long foo;
+        ], [], fits_in_uint=0)
+    fi
+    if test -z "$result"; then
+      if test "$fits_in_uint" = 1; then
+        result="$res_hi$res_lo"U
+      else
+        result="$res_hi$res_lo"UL
+      fi
+    else
+      dnl Shouldn't happen, but who knows...
+      result='~(size_t)0'
+    fi
+  fi
+  AC_MSG_RESULT([$result])
+  if test "$result" != yes; then
+    AC_DEFINE_UNQUOTED([SIZE_MAX], [$result],
+      [Define as the maximum value of type 'size_t', if the system doesn't define it.])
+  fi
+])
+
+
+
+# xsize.m4 serial 3
+dnl Copyright (C) 2003-2004 Free Software Foundation, Inc.
+dnl This file is free software, distributed under the terms of the GNU
+dnl General Public License.  As a special exception to the GNU General
+dnl Public License, this file may be distributed as part of a program
+dnl that contains a configuration script generated by Autoconf, under
+dnl the same distribution terms as the rest of that program.
+
+AC_DEFUN([gl_XSIZE],
+[
+  dnl Prerequisites of lib/xsize.h.
+  AC_REQUIRE([gl_SIZE_MAX])
+  AC_REQUIRE([AC_C_INLINE])
+  AC_CHECK_HEADERS(stdint.h)
+])
diff -urN cvs-nserver-1.11.1.52.org/config.h.in cvs-nserver-1.11.1.52/config.h.in
--- cvs-nserver-1.11.1.52.org/config.h.in	2004-06-11 15:13:22.807441560 +0200
+++ cvs-nserver-1.11.1.52/config.h.in	2004-06-11 15:15:19.522698144 +0200
@@ -9,6 +9,10 @@
    clients.  */
 #undef SERVER_SUPPORT
 
+/* Define as the maximum value of type 'size_t', if the system doesn't define
++    it. */
+#undef SIZE_MAX
+
 /* Define if you want to use the password authenticated server.  */
 #undef AUTH_SERVER_SUPPORT
 
@@ -377,6 +381,12 @@
 /* Define to `int' if <sys/types.h> doesn't define. */
 #undef gid_t
 
+/* Define to `__inline__' or `__inline' if that's what the C compiler
+   calls it, or to nothing if 'inline' is not supported under any name.  */
+#ifndef __cplusplus
+#undef inline
+#endif
+
 /* Define to `int' if <sys/types.h> does not define. */
 #undef mode_t
 
diff -urN cvs-nserver-1.11.1.52.org/configure.in cvs-nserver-1.11.1.52/configure.in
--- cvs-nserver-1.11.1.52.org/configure.in	2004-06-11 15:13:22.811440952 +0200
+++ cvs-nserver-1.11.1.52/configure.in	2004-06-11 15:16:03.298043280 +0200
@@ -121,6 +121,8 @@
 AC_TYPE_SIZE_T
 AC_TYPE_SIGNAL
 
+gl_XSIZE
+
 AC_STRUCT_ST_BLKSIZE
 AC_STRUCT_ST_RDEV
 AC_REPLACE_FUNCS(mkdir rename strstr dup2 strerror valloc waitpid memmove strtoul)
diff -urN cvs-nserver-1.11.1.52.org/lib/Makefile.am cvs-nserver-1.11.1.52/lib/Makefile.am
--- cvs-nserver-1.11.1.52.org/lib/Makefile.am	2004-06-11 15:13:22.873431528 +0200
+++ cvs-nserver-1.11.1.52/lib/Makefile.am	2004-06-11 15:16:50.173917064 +0200
@@ -83,6 +83,9 @@
 	build_lib.com \
 	xgssapi.h
 
+# For the xsize module from GNULIB.
+libcvs_a_SOURCES += xsize.h
+
 # for backwards compatibility with the old makefiles
 realclean: maintainer-clean
 .PHONY: realclean
diff -urN cvs-nserver-1.11.1.52.org/lib/Makefile.in cvs-nserver-1.11.1.52/lib/Makefile.in
--- cvs-nserver-1.11.1.52.org/lib/Makefile.in	2004-06-11 15:13:22.874431376 +0200
+++ cvs-nserver-1.11.1.52/lib/Makefile.in	2004-06-11 15:14:13.013809032 +0200
@@ -128,6 +128,8 @@
 # Also should look into unifying regular expression matching in CVS
 # with the diff library (perhaps to have the caller, CVS, do the
 # matching?)
+
+# For the xsize module from GNULIB.
 libcvs_a_SOURCES = \
 	argmatch.c \
 	ftruncate.c \
@@ -151,8 +153,8 @@
 	system.h \
 	wait.h \
 	xselect.h \
-	xtime.h
-
+	xtime.h\
+xsize.h
 libcvs_a_LIBADD = @LIBOBJS@
 
 EXTRA_DIST = \
diff -urN cvs-nserver-1.11.1.52.org/lib/xsize.h cvs-nserver-1.11.1.52/lib/xsize.h
--- cvs-nserver-1.11.1.52.org/lib/xsize.h	1970-01-01 01:00:00.000000000 +0100
+++ cvs-nserver-1.11.1.52/lib/xsize.h	2004-06-11 15:14:13.015808728 +0200
@@ -0,0 +1,108 @@
+/* xsize.h -- Checked size_t computations.
+
+   Copyright (C) 2003 Free Software Foundation, Inc.
+
+   This program is free software; you can redistribute it and/or modify
+   it under the terms of the GNU General Public License as published by
+   the Free Software Foundation; either version 2, or (at your option)
+   any later version.
+
+   This program is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU General Public License for more details.
+
+   You should have received a copy of the GNU General Public License
+   along with this program; if not, write to the Free Software Foundation,
+   Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.  */
+
+#ifndef _XSIZE_H
+#define _XSIZE_H
+
+/* Get size_t.  */
+#include <stddef.h>
+
+/* Get SIZE_MAX.  */
+#include <limits.h>
+#if HAVE_STDINT_H
+# include <stdint.h>
+#endif
+
+/* The size of memory objects is often computed through expressions of
+   type size_t. Example:
+      void* p = malloc (header_size + n * element_size).
+   These computations can lead to overflow.  When this happens, malloc()
+   returns a piece of memory that is way too small, and the program then
+   crashes while attempting to fill the memory.
+   To avoid this, the functions and macros in this file check for overflow.
+   The convention is that SIZE_MAX represents overflow.
+   malloc (SIZE_MAX) is not guaranteed to fail -- think of a malloc
+   implementation that uses mmap --, it's recommended to use size_overflow_p()
+   or size_in_bounds_p() before invoking malloc().
+   The example thus becomes:
+      size_t size = xsum (header_size, xtimes (n, element_size));
+      void *p = (size_in_bounds_p (size) ? malloc (size) : NULL);
+*/
+
+/* Convert an arbitrary value >= 0 to type size_t.  */
+#define xcast_size_t(N) \
+  ((N) <= SIZE_MAX ? (size_t) (N) : SIZE_MAX)
+
+/* Sum of two sizes, with overflow check.  */
+static inline size_t
+#if __GNUC__ >= 3
+__attribute__ ((__pure__))
+#endif
+xsum (size_t size1, size_t size2)
+{
+  size_t sum = size1 + size2;
+  return (sum >= size1 ? sum : SIZE_MAX);
+}
+
+/* Sum of three sizes, with overflow check.  */
+static inline size_t
+#if __GNUC__ >= 3
+__attribute__ ((__pure__))
+#endif
+xsum3 (size_t size1, size_t size2, size_t size3)
+{
+  return xsum (xsum (size1, size2), size3);
+}
+
+/* Sum of four sizes, with overflow check.  */
+static inline size_t
+#if __GNUC__ >= 3
+__attribute__ ((__pure__))
+#endif
+xsum4 (size_t size1, size_t size2, size_t size3, size_t size4)
+{
+  return xsum (xsum (xsum (size1, size2), size3), size4);
+}
+
+/* Maximum of two sizes, with overflow check.  */
+static inline size_t
+#if __GNUC__ >= 3
+__attribute__ ((__pure__))
+#endif
+xmax (size_t size1, size_t size2)
+{
+  /* No explicit check is needed here, because for any n:
+     max (SIZE_MAX, n) == SIZE_MAX and max (n, SIZE_MAX) == SIZE_MAX.  */
+  return (size1 >= size2 ? size1 : size2);
+}
+
+/* Multiplication of a count with an element size, with overflow check.
+   The count must be >= 0 and the element size must be > 0.
+   This is a macro, not an inline function, so that it works correctly even
+   when N is of a wider tupe and N > SIZE_MAX.  */
+#define xtimes(N, ELSIZE) \
+  ((N) <= SIZE_MAX / (ELSIZE) ? (size_t) (N) * (ELSIZE) : SIZE_MAX)
+
+/* Check for overflow.  */
+#define size_overflow_p(SIZE) \
+  ((SIZE) == SIZE_MAX)
+/* Check against overflow.  */
+#define size_in_bounds_p(SIZE) \
+  ((SIZE) != SIZE_MAX)
+
+#endif /* _XSIZE_H */
diff -urN cvs-nserver-1.11.1.52.org/src/commit.c cvs-nserver-1.11.1.52/src/commit.c
--- cvs-nserver-1.11.1.52.org/src/commit.c	2004-06-11 15:13:22.631468312 +0200
+++ cvs-nserver-1.11.1.52/src/commit.c	2004-06-11 15:14:13.030806448 +0200
@@ -476,7 +476,12 @@
 	   operate on, and only work with those files in the future.
 	   This saves time--we don't want to search the file system
 	   of the working directory twice.  */
-	find_args.argv = (char **) xmalloc (find_args.argc * sizeof (char **));
+	if (size_overflow_p (xtimes (find_args.argc, sizeof (char **))))
+	{
+	    find_args.argc = 0;
+	    return 0;
+	}
+	find_args.argv = xmalloc (xtimes (find_args.argc, sizeof (char **)));
 	find_args.argc = 0;
 	walklist (find_args.ulist, copy_ulist, &find_args);
 
diff -urN cvs-nserver-1.11.1.52.org/src/cvs.h cvs-nserver-1.11.1.52/src/cvs.h
--- cvs-nserver-1.11.1.52.org/src/cvs.h	2004-06-11 15:13:22.711456152 +0200
+++ cvs-nserver-1.11.1.52/src/cvs.h	2004-06-11 15:14:13.039805080 +0200
@@ -37,6 +37,10 @@
 #include "popen.h"
 #endif
 
+/* Begin GNULIB headers.  */
+#include "xsize.h"
+/* End GNULIB headers.  */
+
 #ifdef STDC_HEADERS
 #include <stdlib.h>
 #else
diff -urN cvs-nserver-1.11.1.52.org/src/filesubr.c cvs-nserver-1.11.1.52/src/filesubr.c
--- cvs-nserver-1.11.1.52.org/src/filesubr.c	2004-06-11 15:13:22.638467248 +0200
+++ cvs-nserver-1.11.1.52/src/filesubr.c	2004-06-11 15:14:13.042804624 +0200
@@ -925,8 +925,14 @@
     char ***pargv;
 {
     int i;
+    if (size_overflow_p (xtimes (argc, sizeof (char *)))) {
+	*pargc = 0;
+	*pargv = NULL;
+	error (0, 0, "expand_wild: too many arguments");
+	return;
+    }
     *pargc = argc;
-    *pargv = (char **) xmalloc (argc * sizeof (char *));
+    *pargv = xmalloc (xtimes (argc, sizeof (char *)));
     for (i = 0; i < argc; ++i)
 	(*pargv)[i] = xstrdup (argv[i]);
 }
diff -urN cvs-nserver-1.11.1.52.org/src/history.c cvs-nserver-1.11.1.52/src/history.c
--- cvs-nserver-1.11.1.52.org/src/history.c	2004-06-11 15:13:22.642466640 +0200
+++ cvs-nserver-1.11.1.52/src/history.c	2004-06-11 15:14:13.046804016 +0200
@@ -417,8 +417,11 @@
 		working = 1;
 		break;
 	    case 'X':			/* Undocumented debugging flag */
+#ifdef DEBUG
 		histfile = optarg;
+#endif
 		break;
+
 	    case 'D':			/* Since specified date */
 		if (*since_rev || *since_tag || *backto)
 		{
@@ -900,9 +903,13 @@
 {
     if (user_count == user_max)
     {
-	user_max += USER_INCREMENT;
-	user_list = (char **) xrealloc ((char *) user_list,
-					(int) user_max * sizeof (char *));
+	user_max = xsum (user_max, USER_INCREMENT);
+	if (size_overflow_p (xtimes (user_max, sizeof (char *))))
+	{
+	    error (0, 0, "save_user: too many users");
+	    return;
+	}
+	user_list = xrealloc (user_list, xtimes (user_max, sizeof (char *)));
     }
     user_list[user_count++] = xstrdup (name);
 }
@@ -930,9 +937,13 @@
 
     if (file_count == file_max)
     {
-	file_max += FILE_INCREMENT;
-	file_list = (struct file_list_str *) xrealloc ((char *) file_list,
-						   file_max * sizeof (*fl));
+	file_max = xsum (file_max, FILE_INCREMENT);
+	if (size_overflow_p (xtimes (file_max, sizeof (*fl))))
+	{
+	    error (0, 0, "save_file: too many files");
+	    return;
+	}
+	file_list = xrealloc (file_list, xtimes (file_max, sizeof (*fl)));
     }
     fl = &file_list[file_count++];
     fl->l_file = cp = xmalloc (strlen (dir) + strlen (name) + 2);
@@ -971,9 +982,13 @@
 {
     if (mod_count == mod_max)
     {
-	mod_max += MODULE_INCREMENT;
-	mod_list = (char **) xrealloc ((char *) mod_list,
-				       mod_max * sizeof (char *));
+	mod_max = xsum (mod_max, MODULE_INCREMENT);
+	if (size_overflow_p (xtimes (mod_max, sizeof (char *))))
+	{
+	    error (0, 0, "save_module: too many modules");
+	    return;
+	}
+	mod_list = xrealloc (mod_list, xtimes (mod_max, sizeof (char *)));
     }
     mod_list[mod_count++] = xstrdup (module);
 }
diff -urN cvs-nserver-1.11.1.52.org/src/server.c cvs-nserver-1.11.1.52/src/server.c
--- cvs-nserver-1.11.1.52.org/src/server.c	2004-06-11 15:13:22.702457520 +0200
+++ cvs-nserver-1.11.1.52/src/server.c	2004-06-11 15:20:44.835243120 +0200
@@ -914,7 +914,7 @@
     int i;
     char *p;
 
-    if (lim < 0)
+    if (lim < 0 || lim > 10000)
 	return;
     p = malloc (strlen (server_temp_dir) + 2 * lim + 10);
     if (p == NULL)
@@ -1977,6 +1977,9 @@
     {
 	char *cp;
 
+	if (!data[0])
+	    goto error;
+
 	if (strchr (data, '+'))
 	    goto error;
 
@@ -2108,6 +2111,14 @@
     char *p;
     
     if (error_pending()) return;
+
+    if (argument_count >= 10000)
+    {
+	if (alloc_pending (80))
+	    sprintf (pending_error_text,
+		    "E Protocol error: too many arguments");
+	return;
+    }
     
     if (argument_vector_size <= argument_count + 1)
     {
@@ -2139,6 +2150,14 @@
     char *p;
     
     if (error_pending()) return;
+
+    if (argument_count <= 1)
+    {
+	if (alloc_pending (80))
+	    sprintf (pending_error_text,
+		    "E Protocol error: called argumentx without prior call to argument");
+	return;
+    }
     
     p = argument_vector[argument_count - 1];
     p = realloc (p, strlen (p) + 1 + strlen (arg) + 1);
@@ -2496,7 +2515,7 @@
                     save some code here...  -kff */
 
                  /* Chop newline by hand, for strcmp()'s sake. */
-                 if (linebuf[num_red - 1] == '\n')
+		 if (num_red > 0 && linebuf[num_red - 1] == '\n')
                      linebuf[num_red - 1] = '\0';
 
                  if (strcmp (linebuf, CVS_Username) == 0)
diff -urN cvs-nserver-1.11.1.52.org/src/wrapper.c cvs-nserver-1.11.1.52/src/wrapper.c
--- cvs-nserver-1.11.1.52.org/src/wrapper.c	2004-06-11 15:13:22.708456608 +0200
+++ cvs-nserver-1.11.1.52/src/wrapper.c	2004-06-11 15:14:13.083798392 +0200
@@ -252,6 +252,30 @@
 #endif /* SERVER_SUPPORT || CLIENT_SUPPORT */
 
 /*
+ * Remove fmt str specifier other than %% or %s. And allow
+ * only max_s %s specifiers
+ */
+wrap_clean_fmt_str(char *fmt, int max_s)
+{
+    while (*fmt) {
+	if (fmt[0] == '%' && fmt[1])
+	{
+	    if (fmt[1] == '%') 
+		fmt++;
+	    else
+		if (fmt[1] == 's' && max_s > 0)
+		{
+		    max_s--;
+		    fmt++;
+		} else 
+		    *fmt = ' ';
+	}
+	fmt++;
+    }
+    return;
+}
+
+/*
  * Open a file and read lines, feeding each line to a line parser. Arrange
  * for keeping a temporary list of wrappers at the end, if the "temp"
  * argument is set.
@@ -575,9 +599,8 @@
     args = xmalloc (strlen (e->tocvsFilter)
 		    + strlen (fileName)
 		    + strlen (buf));
-    /* FIXME: sprintf will blow up if the format string contains items other
-       than %s, or contains too many %s's.  We should instead be parsing
-       e->tocvsFilter ourselves and giving a real error.  */
+
+    wrap_clean_fmt_str(e->tocvsFilter, 2);
     sprintf (args, e->tocvsFilter, fileName, buf);
     run_setup (args);
     run_exec(RUN_TTY, RUN_TTY, RUN_TTY, RUN_NORMAL|RUN_REALLY );
@@ -609,9 +632,8 @@
 
     args = xmalloc (strlen (e->fromcvsFilter)
 		    + strlen (fileName));
-    /* FIXME: sprintf will blow up if the format string contains items other
-       than %s, or contains too many %s's.  We should instead be parsing
-       e->fromcvsFilter ourselves and giving a real error.  */
+
+    wrap_clean_fmt_str(e->fromcvsFilter, 1);
     sprintf (args, e->fromcvsFilter, fileName);
     run_setup (args);
     run_exec(RUN_TTY, RUN_TTY, RUN_TTY, RUN_NORMAL );
Commit	Line	Data
1ac47269 AM	1	diff -urN cvs-nserver-1.11.1.52.org/acinclude.m4 cvs-nserver-1.11.1.52/acinclude.m4
	2	--- cvs-nserver-1.11.1.52.org/acinclude.m4 2004-06-11 15:13:22.806441712 +0200
	3	+++ cvs-nserver-1.11.1.52/acinclude.m4 2004-06-11 15:14:12.949818760 +0200
	4	@@ -229,3 +229,85 @@
	5	AC_SEARCH_LIBS([gss_import_name], [gssapi_krb5 gssapi])
	6	fi
	7	])dnl
	8	+
	9	+
	10	+
	11	+# size_max.m4 serial 2
	12	+dnl Copyright (C) 2003 Free Software Foundation, Inc.
	13	+dnl This file is free software, distributed under the terms of the GNU
	14	+dnl General Public License. As a special exception to the GNU General
	15	+dnl Public License, this file may be distributed as part of a program
	16	+dnl that contains a configuration script generated by Autoconf, under
	17	+dnl the same distribution terms as the rest of that program.
	18	+
	19	+dnl From Bruno Haible.
	20	+
	21	+AC_DEFUN([gl_SIZE_MAX],
	22	+[
	23	+ AC_CHECK_HEADERS(stdint.h)
	24	+ dnl First test whether the system already has SIZE_MAX.
	25	+ AC_MSG_CHECKING([for SIZE_MAX])
	26	+ result=
	27	+ AC_EGREP_CPP([Found it], [
	28	+#include <limits.h>
	29	+#if HAVE_STDINT_H
	30	+#include <stdint.h>
	31	+#endif
	32	+#ifdef SIZE_MAX
	33	+Found it
	34	+#endif
	35	+], result=yes)
	36	+ if test -z "$result"; then
	37	+ dnl Define it ourselves. Here we assume that the type 'size_t' is not wider
	38	+ dnl than the type 'unsigned long'.
	39	+ dnl The _AC_COMPUTE_INT macro works up to LONG_MAX, since it uses 'expr',
	40	+ dnl which is guaranteed to work from LONG_MIN to LONG_MAX.
	41	+ _AC_COMPUTE_INT([~(size_t)0 / 10], res_hi,
	42	+ [#include <stddef.h>], result=?)
	43	+ _AC_COMPUTE_INT([~(size_t)0 % 10], res_lo,
	44	+ [#include <stddef.h>], result=?)
	45	+ _AC_COMPUTE_INT([sizeof (size_t) <= sizeof (unsigned int)], fits_in_uint,
	46	+ [#include <stddef.h>], result=?)
	47	+ if test "$fits_in_uint" = 1; then
	48	+ dnl Even though SIZE_MAX fits in an unsigned int, it must be of type
	49	+ dnl 'unsigned long' if the type 'size_t' is the same as 'unsigned long'.
	50	+ AC_TRY_COMPILE([#include <stddef.h>
	51	+ extern size_t foo;
	52	+ extern unsigned long foo;
	53	+ ], [], fits_in_uint=0)
	54	+ fi
	55	+ if test -z "$result"; then
	56	+ if test "$fits_in_uint" = 1; then
	57	+ result="$res_hi$res_lo"U
	58	+ else
	59	+ result="$res_hi$res_lo"UL
	60	+ fi
	61	+ else
	62	+ dnl Shouldn't happen, but who knows...
	63	+ result='~(size_t)0'
	64	+ fi
65	+ fi
66	+ AC_MSG_RESULT([$result])
67	+ if test "$result" != yes; then
68	+ AC_DEFINE_UNQUOTED([SIZE_MAX], [$result],
69	+ [Define as the maximum value of type 'size_t', if the system doesn't define it.])
70	+ fi
71	+])
72	+
73	+
74	+
75	+# xsize.m4 serial 3
76	+dnl Copyright (C) 2003-2004 Free Software Foundation, Inc.
77	+dnl This file is free software, distributed under the terms of the GNU
78	+dnl General Public License. As a special exception to the GNU General
79	+dnl Public License, this file may be distributed as part of a program
80	+dnl that contains a configuration script generated by Autoconf, under
81	+dnl the same distribution terms as the rest of that program.
82	+
83	+AC_DEFUN([gl_XSIZE],
84	+[
85	+ dnl Prerequisites of lib/xsize.h.
86	+ AC_REQUIRE([gl_SIZE_MAX])
87	+ AC_REQUIRE([AC_C_INLINE])
88	+ AC_CHECK_HEADERS(stdint.h)
89	+])
90	diff -urN cvs-nserver-1.11.1.52.org/config.h.in cvs-nserver-1.11.1.52/config.h.in
91	--- cvs-nserver-1.11.1.52.org/config.h.in 2004-06-11 15:13:22.807441560 +0200
92	+++ cvs-nserver-1.11.1.52/config.h.in 2004-06-11 15:15:19.522698144 +0200
93	@@ -9,6 +9,10 @@
94	clients. */
95	#undef SERVER_SUPPORT
96
97	+/* Define as the maximum value of type 'size_t', if the system doesn't define
98	++ it. */
99	+#undef SIZE_MAX
100	+
101	/* Define if you want to use the password authenticated server. */
102	#undef AUTH_SERVER_SUPPORT
103
104	@@ -377,6 +381,12 @@
105	/* Define to `int' if <sys/types.h> doesn't define. */
106	#undef gid_t
107
108	+/* Define to `__inline__' or `__inline' if that's what the C compiler
109	+ calls it, or to nothing if 'inline' is not supported under any name. */
110	+#ifndef __cplusplus
111	+#undef inline
112	+#endif
113	+
114	/* Define to `int' if <sys/types.h> does not define. */
115	#undef mode_t
116
117	diff -urN cvs-nserver-1.11.1.52.org/configure.in cvs-nserver-1.11.1.52/configure.in
118	--- cvs-nserver-1.11.1.52.org/configure.in 2004-06-11 15:13:22.811440952 +0200
119	+++ cvs-nserver-1.11.1.52/configure.in 2004-06-11 15:16:03.298043280 +0200
120	@@ -121,6 +121,8 @@
121	AC_TYPE_SIZE_T
122	AC_TYPE_SIGNAL
123
124	+gl_XSIZE
125	+
126	AC_STRUCT_ST_BLKSIZE
127	AC_STRUCT_ST_RDEV
128	AC_REPLACE_FUNCS(mkdir rename strstr dup2 strerror valloc waitpid memmove strtoul)
129	diff -urN cvs-nserver-1.11.1.52.org/lib/Makefile.am cvs-nserver-1.11.1.52/lib/Makefile.am
130	--- cvs-nserver-1.11.1.52.org/lib/Makefile.am 2004-06-11 15:13:22.873431528 +0200
131	+++ cvs-nserver-1.11.1.52/lib/Makefile.am 2004-06-11 15:16:50.173917064 +0200
132	@@ -83,6 +83,9 @@
133	build_lib.com \
134	xgssapi.h
135
136	+# For the xsize module from GNULIB.
137	+libcvs_a_SOURCES += xsize.h
138	+
139	# for backwards compatibility with the old makefiles
140	realclean: maintainer-clean
141	.PHONY: realclean
142	diff -urN cvs-nserver-1.11.1.52.org/lib/Makefile.in cvs-nserver-1.11.1.52/lib/Makefile.in
143	--- cvs-nserver-1.11.1.52.org/lib/Makefile.in 2004-06-11 15:13:22.874431376 +0200
144	+++ cvs-nserver-1.11.1.52/lib/Makefile.in 2004-06-11 15:14:13.013809032 +0200
145	@@ -128,6 +128,8 @@
146	# Also should look into unifying regular expression matching in CVS
147	# with the diff library (perhaps to have the caller, CVS, do the
148	# matching?)
149	+
150	+# For the xsize module from GNULIB.
151	libcvs_a_SOURCES = \
152	argmatch.c \
153	ftruncate.c \
154	@@ -151,8 +153,8 @@
155	system.h \
156	wait.h \
157	xselect.h \
158	- xtime.h
159	-
160	+ xtime.h\
161	+xsize.h
162	libcvs_a_LIBADD = @LIBOBJS@
163
164	EXTRA_DIST = \
165	diff -urN cvs-nserver-1.11.1.52.org/lib/xsize.h cvs-nserver-1.11.1.52/lib/xsize.h
166	--- cvs-nserver-1.11.1.52.org/lib/xsize.h 1970-01-01 01:00:00.000000000 +0100
167	+++ cvs-nserver-1.11.1.52/lib/xsize.h 2004-06-11 15:14:13.015808728 +0200
168	@@ -0,0 +1,108 @@
169	+/* xsize.h -- Checked size_t computations.
170	+
171	+ Copyright (C) 2003 Free Software Foundation, Inc.
172	+
173	+ This program is free software; you can redistribute it and/or modify
174	+ it under the terms of the GNU General Public License as published by
175	+ the Free Software Foundation; either version 2, or (at your option)
176	+ any later version.
177	+
178	+ This program is distributed in the hope that it will be useful,
179	+ but WITHOUT ANY WARRANTY; without even the implied warranty of
180	+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
181	+ GNU General Public License for more details.
182	+
183	+ You should have received a copy of the GNU General Public License
184	+ along with this program; if not, write to the Free Software Foundation,
185	+ Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. */
186	+
187	+#ifndef _XSIZE_H
188	+#define _XSIZE_H
189	+
190	+/* Get size_t. */
191	+#include <stddef.h>
192	+
193	+/* Get SIZE_MAX. */
194	+#include <limits.h>
195	+#if HAVE_STDINT_H
196	+# include <stdint.h>
197	+#endif
198	+
199	+/* The size of memory objects is often computed through expressions of
200	+ type size_t. Example:
201	+ void* p = malloc (header_size + n * element_size).
202	+ These computations can lead to overflow. When this happens, malloc()
203	+ returns a piece of memory that is way too small, and the program then
204	+ crashes while attempting to fill the memory.
205	+ To avoid this, the functions and macros in this file check for overflow.
206	+ The convention is that SIZE_MAX represents overflow.
207	+ malloc (SIZE_MAX) is not guaranteed to fail -- think of a malloc
208	+ implementation that uses mmap --, it's recommended to use size_overflow_p()
209	+ or size_in_bounds_p() before invoking malloc().
210	+ The example thus becomes:
211	+ size_t size = xsum (header_size, xtimes (n, element_size));
212	+ void *p = (size_in_bounds_p (size) ? malloc (size) : NULL);
213	+*/
214	+
215	+/* Convert an arbitrary value >= 0 to type size_t. */
216	+#define xcast_size_t(N) \
217	+ ((N) <= SIZE_MAX ? (size_t) (N) : SIZE_MAX)
218	+
219	+/* Sum of two sizes, with overflow check. */
220	+static inline size_t
221	+#if __GNUC__ >= 3
222	+__attribute__ ((__pure__))
223	+#endif
224	+xsum (size_t size1, size_t size2)
225	+{
226	+ size_t sum = size1 + size2;
227	+ return (sum >= size1 ? sum : SIZE_MAX);
228	+}
229	+
230	+/* Sum of three sizes, with overflow check. */
231	+static inline size_t
232	+#if __GNUC__ >= 3
233	+__attribute__ ((__pure__))
234	+#endif
235	+xsum3 (size_t size1, size_t size2, size_t size3)
236	+{
237	+ return xsum (xsum (size1, size2), size3);
238	+}
239	+
240	+/* Sum of four sizes, with overflow check. */
241	+static inline size_t
242	+#if __GNUC__ >= 3
243	+__attribute__ ((__pure__))
244	+#endif
245	+xsum4 (size_t size1, size_t size2, size_t size3, size_t size4)
246	+{
247	+ return xsum (xsum (xsum (size1, size2), size3), size4);
248	+}
249	+
250	+/* Maximum of two sizes, with overflow check. */
251	+static inline size_t
252	+#if __GNUC__ >= 3
253	+__attribute__ ((__pure__))
254	+#endif
255	+xmax (size_t size1, size_t size2)
256	+{
257	+ /* No explicit check is needed here, because for any n:
258	+ max (SIZE_MAX, n) == SIZE_MAX and max (n, SIZE_MAX) == SIZE_MAX. */
259	+ return (size1 >= size2 ? size1 : size2);
260	+}
261	+
262	+/* Multiplication of a count with an element size, with overflow check.
263	+ The count must be >= 0 and the element size must be > 0.
264	+ This is a macro, not an inline function, so that it works correctly even
265	+ when N is of a wider tupe and N > SIZE_MAX. */
266	+#define xtimes(N, ELSIZE) \
267	+ ((N) <= SIZE_MAX / (ELSIZE) ? (size_t) (N) * (ELSIZE) : SIZE_MAX)
268	+
269	+/* Check for overflow. */
270	+#define size_overflow_p(SIZE) \
271	+ ((SIZE) == SIZE_MAX)
272	+/* Check against overflow. */
273	+#define size_in_bounds_p(SIZE) \
274	+ ((SIZE) != SIZE_MAX)
275	+
276	+#endif /* _XSIZE_H */
277	diff -urN cvs-nserver-1.11.1.52.org/src/commit.c cvs-nserver-1.11.1.52/src/commit.c
278	--- cvs-nserver-1.11.1.52.org/src/commit.c 2004-06-11 15:13:22.631468312 +0200
279	+++ cvs-nserver-1.11.1.52/src/commit.c 2004-06-11 15:14:13.030806448 +0200
280	@@ -476,7 +476,12 @@
281	operate on, and only work with those files in the future.
282	This saves time--we don't want to search the file system
283	of the working directory twice. */
284	- find_args.argv = (char *) xmalloc (find_args.argc sizeof (char **));
285	+ if (size_overflow_p (xtimes (find_args.argc, sizeof (char **))))
286	+ {
287	+ find_args.argc = 0;
288	+ return 0;
289	+ }
290	+ find_args.argv = xmalloc (xtimes (find_args.argc, sizeof (char **)));
291	find_args.argc = 0;
292	walklist (find_args.ulist, copy_ulist, &find_args);
293
294	diff -urN cvs-nserver-1.11.1.52.org/src/cvs.h cvs-nserver-1.11.1.52/src/cvs.h
295	--- cvs-nserver-1.11.1.52.org/src/cvs.h 2004-06-11 15:13:22.711456152 +0200
296	+++ cvs-nserver-1.11.1.52/src/cvs.h 2004-06-11 15:14:13.039805080 +0200
297	@@ -37,6 +37,10 @@
298	#include "popen.h"
299	#endif
300
301	+/* Begin GNULIB headers. */
302	+#include "xsize.h"
303	+/* End GNULIB headers. */
304	+
305	#ifdef STDC_HEADERS
306	#include <stdlib.h>
307	#else
308	diff -urN cvs-nserver-1.11.1.52.org/src/filesubr.c cvs-nserver-1.11.1.52/src/filesubr.c
309	--- cvs-nserver-1.11.1.52.org/src/filesubr.c 2004-06-11 15:13:22.638467248 +0200
310	+++ cvs-nserver-1.11.1.52/src/filesubr.c 2004-06-11 15:14:13.042804624 +0200
311	@@ -925,8 +925,14 @@
312	char ***pargv;
313	{
314	int i;
315	+ if (size_overflow_p (xtimes (argc, sizeof (char *)))) {
316	+ *pargc = 0;
317	+ *pargv = NULL;
318	+ error (0, 0, "expand_wild: too many arguments");
319	+ return;
320	+ }
321	*pargc = argc;
322	- pargv = (char ) xmalloc (argc sizeof (char *));
323	+ pargv = xmalloc (xtimes (argc, sizeof (char )));
324	for (i = 0; i < argc; ++i)
325	(*pargv)[i] = xstrdup (argv[i]);
326	}
327	diff -urN cvs-nserver-1.11.1.52.org/src/history.c cvs-nserver-1.11.1.52/src/history.c
328	--- cvs-nserver-1.11.1.52.org/src/history.c 2004-06-11 15:13:22.642466640 +0200
329	+++ cvs-nserver-1.11.1.52/src/history.c 2004-06-11 15:14:13.046804016 +0200
330	@@ -417,8 +417,11 @@
331	working = 1;
332	break;
333	case 'X': /* Undocumented debugging flag */
334	+#ifdef DEBUG
335	histfile = optarg;
336	+#endif
337	break;
338	+
339	case 'D': /* Since specified date */
340	if (since_rev \|\| since_tag \|\| *backto)
341	{
342	@@ -900,9 +903,13 @@
343	{
344	if (user_count == user_max)
345	{
346	- user_max += USER_INCREMENT;
347	- user_list = (char *) xrealloc ((char ) user_list,
348	- (int) user_max * sizeof (char *));
349	+ user_max = xsum (user_max, USER_INCREMENT);
350	+ if (size_overflow_p (xtimes (user_max, sizeof (char *))))
351	+ {
352	+ error (0, 0, "save_user: too many users");
353	+ return;
354	+ }
355	+ user_list = xrealloc (user_list, xtimes (user_max, sizeof (char *)));
356	}
357	user_list[user_count++] = xstrdup (name);
358	}
359	@@ -930,9 +937,13 @@
360
361	if (file_count == file_max)
362	{
363	- file_max += FILE_INCREMENT;
364	- file_list = (struct file_list_str ) xrealloc ((char ) file_list,
365	- file_max * sizeof (*fl));
366	+ file_max = xsum (file_max, FILE_INCREMENT);
367	+ if (size_overflow_p (xtimes (file_max, sizeof (*fl))))
368	+ {
369	+ error (0, 0, "save_file: too many files");
370	+ return;
371	+ }
372	+ file_list = xrealloc (file_list, xtimes (file_max, sizeof (*fl)));
373	}
374	fl = &file_list[file_count++];
375	fl->l_file = cp = xmalloc (strlen (dir) + strlen (name) + 2);
376	@@ -971,9 +982,13 @@
377	{
378	if (mod_count == mod_max)
379	{
380	- mod_max += MODULE_INCREMENT;
381	- mod_list = (char *) xrealloc ((char ) mod_list,
382	- mod_max * sizeof (char *));
383	+ mod_max = xsum (mod_max, MODULE_INCREMENT);
384	+ if (size_overflow_p (xtimes (mod_max, sizeof (char *))))
385	+ {
386	+ error (0, 0, "save_module: too many modules");
387	+ return;
388	+ }
389	+ mod_list = xrealloc (mod_list, xtimes (mod_max, sizeof (char *)));
390	}
391	mod_list[mod_count++] = xstrdup (module);
392	}
393	diff -urN cvs-nserver-1.11.1.52.org/src/server.c cvs-nserver-1.11.1.52/src/server.c
394	--- cvs-nserver-1.11.1.52.org/src/server.c 2004-06-11 15:13:22.702457520 +0200
395	+++ cvs-nserver-1.11.1.52/src/server.c 2004-06-11 15:20:44.835243120 +0200
396	@@ -914,7 +914,7 @@
397	int i;
398	char *p;
399
400	- if (lim < 0)
401	+ if (lim < 0 \|\| lim > 10000)
402	return;
403	p = malloc (strlen (server_temp_dir) + 2 * lim + 10);
404	if (p == NULL)
405	@@ -1977,6 +1977,9 @@
406	{
407	char *cp;
408
409	+ if (!data[0])
410	+ goto error;
411	+
412	if (strchr (data, '+'))
413	goto error;
414
415	@@ -2108,6 +2111,14 @@
416	char *p;
417
418	if (error_pending()) return;
419	+
420	+ if (argument_count >= 10000)
421	+ {
422	+ if (alloc_pending (80))
423	+ sprintf (pending_error_text,
424	+ "E Protocol error: too many arguments");
425	+ return;
426	+ }
427
428	if (argument_vector_size <= argument_count + 1)
429	{
430	@@ -2139,6 +2150,14 @@
431	char *p;
432
433	if (error_pending()) return;
434	+
435	+ if (argument_count <= 1)
436	+ {
437	+ if (alloc_pending (80))
438	+ sprintf (pending_error_text,
439	+ "E Protocol error: called argumentx without prior call to argument");
440	+ return;
441	+ }
442
443	p = argument_vector[argument_count - 1];
444	p = realloc (p, strlen (p) + 1 + strlen (arg) + 1);
445	@@ -2496,7 +2515,7 @@
446	save some code here... -kff */
447
448	/* Chop newline by hand, for strcmp()'s sake. */
449	- if (linebuf[num_red - 1] == '\n')
450	+ if (num_red > 0 && linebuf[num_red - 1] == '\n')
451	linebuf[num_red - 1] = '\0';
452
453	if (strcmp (linebuf, CVS_Username) == 0)
454	diff -urN cvs-nserver-1.11.1.52.org/src/wrapper.c cvs-nserver-1.11.1.52/src/wrapper.c
455	--- cvs-nserver-1.11.1.52.org/src/wrapper.c 2004-06-11 15:13:22.708456608 +0200
456	+++ cvs-nserver-1.11.1.52/src/wrapper.c 2004-06-11 15:14:13.083798392 +0200
457	@@ -252,6 +252,30 @@
458	#endif /* SERVER_SUPPORT \|\| CLIENT_SUPPORT */
459
460	/*
461	+ * Remove fmt str specifier other than %% or %s. And allow
462	+ * only max_s %s specifiers
463	+ */
464	+wrap_clean_fmt_str(char *fmt, int max_s)
465	+{
466	+ while (*fmt) {
467	+ if (fmt[0] == '%' && fmt[1])
468	+ {
469	+ if (fmt[1] == '%')
470	+ fmt++;
471	+ else
472	+ if (fmt[1] == 's' && max_s > 0)
473	+ {
474	+ max_s--;
475	+ fmt++;
476	+ } else
477	+ *fmt = ' ';
478	+ }
479	+ fmt++;
480	+ }
481	+ return;
482	+}
483	+
484	+/*
485	* Open a file and read lines, feeding each line to a line parser. Arrange
486	* for keeping a temporary list of wrappers at the end, if the "temp"
487	* argument is set.
488	@@ -575,9 +599,8 @@
489	args = xmalloc (strlen (e->tocvsFilter)
490	+ strlen (fileName)
491	+ strlen (buf));
492	- /* FIXME: sprintf will blow up if the format string contains items other
493	- than %s, or contains too many %s's. We should instead be parsing
494	- e->tocvsFilter ourselves and giving a real error. */
495	+
496	+ wrap_clean_fmt_str(e->tocvsFilter, 2);
497	sprintf (args, e->tocvsFilter, fileName, buf);
498	run_setup (args);
499	run_exec(RUN_TTY, RUN_TTY, RUN_TTY, RUN_NORMAL\|RUN_REALLY );
500	@@ -609,9 +632,8 @@
501
502	args = xmalloc (strlen (e->fromcvsFilter)
503	+ strlen (fileName));
504	- /* FIXME: sprintf will blow up if the format string contains items other
505	- than %s, or contains too many %s's. We should instead be parsing
506	- e->fromcvsFilter ourselves and giving a real error. */
507	+
508	+ wrap_clean_fmt_str(e->fromcvsFilter, 1);
509	sprintf (args, e->fromcvsFilter, fileName);
510	run_setup (args);
511	run_exec(RUN_TTY, RUN_TTY, RUN_TTY, RUN_NORMAL );