1 diff -urN cvs-nserver-1.11.1.52.org/acinclude.m4 cvs-nserver-1.11.1.52/acinclude.m4
2 --- cvs-nserver-1.11.1.52.org/acinclude.m4 2004-06-11 15:13:22.806441712 +0200
3 +++ cvs-nserver-1.11.1.52/acinclude.m4 2004-06-11 15:14:12.949818760 +0200
5 AC_SEARCH_LIBS([gss_import_name], [gssapi_krb5 gssapi])
11 +# size_max.m4 serial 2
12 +dnl Copyright (C) 2003 Free Software Foundation, Inc.
13 +dnl This file is free software, distributed under the terms of the GNU
14 +dnl General Public License. As a special exception to the GNU General
15 +dnl Public License, this file may be distributed as part of a program
16 +dnl that contains a configuration script generated by Autoconf, under
17 +dnl the same distribution terms as the rest of that program.
19 +dnl From Bruno Haible.
21 +AC_DEFUN([gl_SIZE_MAX],
23 + AC_CHECK_HEADERS(stdint.h)
24 + dnl First test whether the system already has SIZE_MAX.
25 + AC_MSG_CHECKING([for SIZE_MAX])
27 + AC_EGREP_CPP([Found it], [
36 + if test -z "$result"; then
37 + dnl Define it ourselves. Here we assume that the type 'size_t' is not wider
38 + dnl than the type 'unsigned long'.
39 + dnl The _AC_COMPUTE_INT macro works up to LONG_MAX, since it uses 'expr',
40 + dnl which is guaranteed to work from LONG_MIN to LONG_MAX.
41 + _AC_COMPUTE_INT([~(size_t)0 / 10], res_hi,
42 + [#include <stddef.h>], result=?)
43 + _AC_COMPUTE_INT([~(size_t)0 % 10], res_lo,
44 + [#include <stddef.h>], result=?)
45 + _AC_COMPUTE_INT([sizeof (size_t) <= sizeof (unsigned int)], fits_in_uint,
46 + [#include <stddef.h>], result=?)
47 + if test "$fits_in_uint" = 1; then
48 + dnl Even though SIZE_MAX fits in an unsigned int, it must be of type
49 + dnl 'unsigned long' if the type 'size_t' is the same as 'unsigned long'.
50 + AC_TRY_COMPILE([#include <stddef.h>
52 + extern unsigned long foo;
53 + ], [], fits_in_uint=0)
55 + if test -z "$result"; then
56 + if test "$fits_in_uint" = 1; then
57 + result="$res_hi$res_lo"U
59 + result="$res_hi$res_lo"UL
62 + dnl Shouldn't happen, but who knows...
66 + AC_MSG_RESULT([$result])
67 + if test "$result" != yes; then
68 + AC_DEFINE_UNQUOTED([SIZE_MAX], [$result],
69 + [Define as the maximum value of type 'size_t', if the system doesn't define it.])
76 +dnl Copyright (C) 2003-2004 Free Software Foundation, Inc.
77 +dnl This file is free software, distributed under the terms of the GNU
78 +dnl General Public License. As a special exception to the GNU General
79 +dnl Public License, this file may be distributed as part of a program
80 +dnl that contains a configuration script generated by Autoconf, under
81 +dnl the same distribution terms as the rest of that program.
85 + dnl Prerequisites of lib/xsize.h.
86 + AC_REQUIRE([gl_SIZE_MAX])
87 + AC_REQUIRE([AC_C_INLINE])
88 + AC_CHECK_HEADERS(stdint.h)
90 diff -urN cvs-nserver-1.11.1.52.org/config.h.in cvs-nserver-1.11.1.52/config.h.in
91 --- cvs-nserver-1.11.1.52.org/config.h.in 2004-06-11 15:13:22.807441560 +0200
92 +++ cvs-nserver-1.11.1.52/config.h.in 2004-06-11 15:15:19.522698144 +0200
97 +/* Define as the maximum value of type 'size_t', if the system doesn't define
101 /* Define if you want to use the password authenticated server. */
102 #undef AUTH_SERVER_SUPPORT
105 /* Define to `int' if <sys/types.h> doesn't define. */
108 +/* Define to `__inline__' or `__inline' if that's what the C compiler
109 + calls it, or to nothing if 'inline' is not supported under any name. */
114 /* Define to `int' if <sys/types.h> does not define. */
117 diff -urN cvs-nserver-1.11.1.52.org/configure.in cvs-nserver-1.11.1.52/configure.in
118 --- cvs-nserver-1.11.1.52.org/configure.in 2004-06-11 15:13:22.811440952 +0200
119 +++ cvs-nserver-1.11.1.52/configure.in 2004-06-11 15:16:03.298043280 +0200
128 AC_REPLACE_FUNCS(mkdir rename strstr dup2 strerror valloc waitpid memmove strtoul)
129 diff -urN cvs-nserver-1.11.1.52.org/lib/Makefile.am cvs-nserver-1.11.1.52/lib/Makefile.am
130 --- cvs-nserver-1.11.1.52.org/lib/Makefile.am 2004-06-11 15:13:22.873431528 +0200
131 +++ cvs-nserver-1.11.1.52/lib/Makefile.am 2004-06-11 15:16:50.173917064 +0200
136 +# For the xsize module from GNULIB.
137 +libcvs_a_SOURCES += xsize.h
139 # for backwards compatibility with the old makefiles
140 realclean: maintainer-clean
142 diff -urN cvs-nserver-1.11.1.52.org/lib/Makefile.in cvs-nserver-1.11.1.52/lib/Makefile.in
143 --- cvs-nserver-1.11.1.52.org/lib/Makefile.in 2004-06-11 15:13:22.874431376 +0200
144 +++ cvs-nserver-1.11.1.52/lib/Makefile.in 2004-06-11 15:14:13.013809032 +0200
146 # Also should look into unifying regular expression matching in CVS
147 # with the diff library (perhaps to have the caller, CVS, do the
150 +# For the xsize module from GNULIB.
162 libcvs_a_LIBADD = @LIBOBJS@
165 diff -urN cvs-nserver-1.11.1.52.org/lib/xsize.h cvs-nserver-1.11.1.52/lib/xsize.h
166 --- cvs-nserver-1.11.1.52.org/lib/xsize.h 1970-01-01 01:00:00.000000000 +0100
167 +++ cvs-nserver-1.11.1.52/lib/xsize.h 2004-06-11 15:14:13.015808728 +0200
169 +/* xsize.h -- Checked size_t computations.
171 + Copyright (C) 2003 Free Software Foundation, Inc.
173 + This program is free software; you can redistribute it and/or modify
174 + it under the terms of the GNU General Public License as published by
175 + the Free Software Foundation; either version 2, or (at your option)
178 + This program is distributed in the hope that it will be useful,
179 + but WITHOUT ANY WARRANTY; without even the implied warranty of
180 + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
181 + GNU General Public License for more details.
183 + You should have received a copy of the GNU General Public License
184 + along with this program; if not, write to the Free Software Foundation,
185 + Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. */
196 +# include <stdint.h>
199 +/* The size of memory objects is often computed through expressions of
200 + type size_t. Example:
201 + void* p = malloc (header_size + n * element_size).
202 + These computations can lead to overflow. When this happens, malloc()
203 + returns a piece of memory that is way too small, and the program then
204 + crashes while attempting to fill the memory.
205 + To avoid this, the functions and macros in this file check for overflow.
206 + The convention is that SIZE_MAX represents overflow.
207 + malloc (SIZE_MAX) is not guaranteed to fail -- think of a malloc
208 + implementation that uses mmap --, it's recommended to use size_overflow_p()
209 + or size_in_bounds_p() before invoking malloc().
210 + The example thus becomes:
211 + size_t size = xsum (header_size, xtimes (n, element_size));
212 + void *p = (size_in_bounds_p (size) ? malloc (size) : NULL);
215 +/* Convert an arbitrary value >= 0 to type size_t. */
216 +#define xcast_size_t(N) \
217 + ((N) <= SIZE_MAX ? (size_t) (N) : SIZE_MAX)
219 +/* Sum of two sizes, with overflow check. */
220 +static inline size_t
222 +__attribute__ ((__pure__))
224 +xsum (size_t size1, size_t size2)
226 + size_t sum = size1 + size2;
227 + return (sum >= size1 ? sum : SIZE_MAX);
230 +/* Sum of three sizes, with overflow check. */
231 +static inline size_t
233 +__attribute__ ((__pure__))
235 +xsum3 (size_t size1, size_t size2, size_t size3)
237 + return xsum (xsum (size1, size2), size3);
240 +/* Sum of four sizes, with overflow check. */
241 +static inline size_t
243 +__attribute__ ((__pure__))
245 +xsum4 (size_t size1, size_t size2, size_t size3, size_t size4)
247 + return xsum (xsum (xsum (size1, size2), size3), size4);
250 +/* Maximum of two sizes, with overflow check. */
251 +static inline size_t
253 +__attribute__ ((__pure__))
255 +xmax (size_t size1, size_t size2)
257 + /* No explicit check is needed here, because for any n:
258 + max (SIZE_MAX, n) == SIZE_MAX and max (n, SIZE_MAX) == SIZE_MAX. */
259 + return (size1 >= size2 ? size1 : size2);
262 +/* Multiplication of a count with an element size, with overflow check.
263 + The count must be >= 0 and the element size must be > 0.
264 + This is a macro, not an inline function, so that it works correctly even
265 + when N is of a wider tupe and N > SIZE_MAX. */
266 +#define xtimes(N, ELSIZE) \
267 + ((N) <= SIZE_MAX / (ELSIZE) ? (size_t) (N) * (ELSIZE) : SIZE_MAX)
269 +/* Check for overflow. */
270 +#define size_overflow_p(SIZE) \
271 + ((SIZE) == SIZE_MAX)
272 +/* Check against overflow. */
273 +#define size_in_bounds_p(SIZE) \
274 + ((SIZE) != SIZE_MAX)
276 +#endif /* _XSIZE_H */
277 diff -urN cvs-nserver-1.11.1.52.org/src/commit.c cvs-nserver-1.11.1.52/src/commit.c
278 --- cvs-nserver-1.11.1.52.org/src/commit.c 2004-06-11 15:13:22.631468312 +0200
279 +++ cvs-nserver-1.11.1.52/src/commit.c 2004-06-11 15:14:13.030806448 +0200
281 operate on, and only work with those files in the future.
282 This saves time--we don't want to search the file system
283 of the working directory twice. */
284 - find_args.argv = (char **) xmalloc (find_args.argc * sizeof (char **));
285 + if (size_overflow_p (xtimes (find_args.argc, sizeof (char **))))
287 + find_args.argc = 0;
290 + find_args.argv = xmalloc (xtimes (find_args.argc, sizeof (char **)));
292 walklist (find_args.ulist, copy_ulist, &find_args);
294 diff -urN cvs-nserver-1.11.1.52.org/src/cvs.h cvs-nserver-1.11.1.52/src/cvs.h
295 --- cvs-nserver-1.11.1.52.org/src/cvs.h 2004-06-11 15:13:22.711456152 +0200
296 +++ cvs-nserver-1.11.1.52/src/cvs.h 2004-06-11 15:14:13.039805080 +0200
301 +/* Begin GNULIB headers. */
303 +/* End GNULIB headers. */
308 diff -urN cvs-nserver-1.11.1.52.org/src/filesubr.c cvs-nserver-1.11.1.52/src/filesubr.c
309 --- cvs-nserver-1.11.1.52.org/src/filesubr.c 2004-06-11 15:13:22.638467248 +0200
310 +++ cvs-nserver-1.11.1.52/src/filesubr.c 2004-06-11 15:14:13.042804624 +0200
315 + if (size_overflow_p (xtimes (argc, sizeof (char *)))) {
318 + error (0, 0, "expand_wild: too many arguments");
322 - *pargv = (char **) xmalloc (argc * sizeof (char *));
323 + *pargv = xmalloc (xtimes (argc, sizeof (char *)));
324 for (i = 0; i < argc; ++i)
325 (*pargv)[i] = xstrdup (argv[i]);
327 diff -urN cvs-nserver-1.11.1.52.org/src/history.c cvs-nserver-1.11.1.52/src/history.c
328 --- cvs-nserver-1.11.1.52.org/src/history.c 2004-06-11 15:13:22.642466640 +0200
329 +++ cvs-nserver-1.11.1.52/src/history.c 2004-06-11 15:14:13.046804016 +0200
333 case 'X': /* Undocumented debugging flag */
339 case 'D': /* Since specified date */
340 if (*since_rev || *since_tag || *backto)
344 if (user_count == user_max)
346 - user_max += USER_INCREMENT;
347 - user_list = (char **) xrealloc ((char *) user_list,
348 - (int) user_max * sizeof (char *));
349 + user_max = xsum (user_max, USER_INCREMENT);
350 + if (size_overflow_p (xtimes (user_max, sizeof (char *))))
352 + error (0, 0, "save_user: too many users");
355 + user_list = xrealloc (user_list, xtimes (user_max, sizeof (char *)));
357 user_list[user_count++] = xstrdup (name);
361 if (file_count == file_max)
363 - file_max += FILE_INCREMENT;
364 - file_list = (struct file_list_str *) xrealloc ((char *) file_list,
365 - file_max * sizeof (*fl));
366 + file_max = xsum (file_max, FILE_INCREMENT);
367 + if (size_overflow_p (xtimes (file_max, sizeof (*fl))))
369 + error (0, 0, "save_file: too many files");
372 + file_list = xrealloc (file_list, xtimes (file_max, sizeof (*fl)));
374 fl = &file_list[file_count++];
375 fl->l_file = cp = xmalloc (strlen (dir) + strlen (name) + 2);
378 if (mod_count == mod_max)
380 - mod_max += MODULE_INCREMENT;
381 - mod_list = (char **) xrealloc ((char *) mod_list,
382 - mod_max * sizeof (char *));
383 + mod_max = xsum (mod_max, MODULE_INCREMENT);
384 + if (size_overflow_p (xtimes (mod_max, sizeof (char *))))
386 + error (0, 0, "save_module: too many modules");
389 + mod_list = xrealloc (mod_list, xtimes (mod_max, sizeof (char *)));
391 mod_list[mod_count++] = xstrdup (module);
393 diff -urN cvs-nserver-1.11.1.52.org/src/server.c cvs-nserver-1.11.1.52/src/server.c
394 --- cvs-nserver-1.11.1.52.org/src/server.c 2004-06-11 15:13:22.702457520 +0200
395 +++ cvs-nserver-1.11.1.52/src/server.c 2004-06-11 15:20:44.835243120 +0200
401 + if (lim < 0 || lim > 10000)
403 p = malloc (strlen (server_temp_dir) + 2 * lim + 10);
405 @@ -1977,6 +1977,9 @@
412 if (strchr (data, '+'))
415 @@ -2108,6 +2111,14 @@
418 if (error_pending()) return;
420 + if (argument_count >= 10000)
422 + if (alloc_pending (80))
423 + sprintf (pending_error_text,
424 + "E Protocol error: too many arguments");
428 if (argument_vector_size <= argument_count + 1)
430 @@ -2139,6 +2150,14 @@
433 if (error_pending()) return;
435 + if (argument_count <= 1)
437 + if (alloc_pending (80))
438 + sprintf (pending_error_text,
439 + "E Protocol error: called argumentx without prior call to argument");
443 p = argument_vector[argument_count - 1];
444 p = realloc (p, strlen (p) + 1 + strlen (arg) + 1);
445 @@ -2496,7 +2515,7 @@
446 save some code here... -kff */
448 /* Chop newline by hand, for strcmp()'s sake. */
449 - if (linebuf[num_red - 1] == '\n')
450 + if (num_red > 0 && linebuf[num_red - 1] == '\n')
451 linebuf[num_red - 1] = '\0';
453 if (strcmp (linebuf, CVS_Username) == 0)
454 diff -urN cvs-nserver-1.11.1.52.org/src/wrapper.c cvs-nserver-1.11.1.52/src/wrapper.c
455 --- cvs-nserver-1.11.1.52.org/src/wrapper.c 2004-06-11 15:13:22.708456608 +0200
456 +++ cvs-nserver-1.11.1.52/src/wrapper.c 2004-06-11 15:14:13.083798392 +0200
458 #endif /* SERVER_SUPPORT || CLIENT_SUPPORT */
461 + * Remove fmt str specifier other than %% or %s. And allow
462 + * only max_s %s specifiers
464 +wrap_clean_fmt_str(char *fmt, int max_s)
467 + if (fmt[0] == '%' && fmt[1])
472 + if (fmt[1] == 's' && max_s > 0)
485 * Open a file and read lines, feeding each line to a line parser. Arrange
486 * for keeping a temporary list of wrappers at the end, if the "temp"
489 args = xmalloc (strlen (e->tocvsFilter)
492 - /* FIXME: sprintf will blow up if the format string contains items other
493 - than %s, or contains too many %s's. We should instead be parsing
494 - e->tocvsFilter ourselves and giving a real error. */
496 + wrap_clean_fmt_str(e->tocvsFilter, 2);
497 sprintf (args, e->tocvsFilter, fileName, buf);
499 run_exec(RUN_TTY, RUN_TTY, RUN_TTY, RUN_NORMAL|RUN_REALLY );
502 args = xmalloc (strlen (e->fromcvsFilter)
503 + strlen (fileName));
504 - /* FIXME: sprintf will blow up if the format string contains items other
505 - than %s, or contains too many %s's. We should instead be parsing
506 - e->fromcvsFilter ourselves and giving a real error. */
508 + wrap_clean_fmt_str(e->fromcvsFilter, 1);
509 sprintf (args, e->fromcvsFilter, fileName);
511 run_exec(RUN_TTY, RUN_TTY, RUN_TTY, RUN_NORMAL );