The branch stable/12 has been updated by emaste:
URL:
https://cgit.FreeBSD.org/src/commit/?id=641ef7e69a49d793092859f8777817b5ecc82c51
commit 641ef7e69a49d793092859f8777817b5ecc82c51
Author: Ed Maste <ema...@freebsd.org>
AuthorDate: 2022-10-03 18:24:42 +0000
Commit: Ed Maste <ema...@freebsd.org>
CommitDate: 2022-10-07 15:23:27 +0000
libc: Fix size range check in setvbuf
From enh at google.com via openbsd-tech mailing list via pfg@:
The existing test is wrong for LP64, where size_t has twice as many
relevant bits as int, not just one. (Found by inspection by
rprichard.)
(cherry picked from commit 9515313b26beb005a521aff2e6edd4d75cd010da)
---
lib/libc/stdio/setvbuf.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/lib/libc/stdio/setvbuf.c b/lib/libc/stdio/setvbuf.c
index 03a3c7263125..8947e61e7c29 100644
--- a/lib/libc/stdio/setvbuf.c
+++ b/lib/libc/stdio/setvbuf.c
@@ -39,6 +39,7 @@ static char sccsid[] = "@(#)setvbuf.c 8.2 (Berkeley)
11/16/93";
__FBSDID("$FreeBSD$");
#include "namespace.h"
+#include <limits.h>
#include <stdio.h>
#include <stdlib.h>
#include "un-namespace.h"
@@ -62,7 +63,7 @@ setvbuf(FILE * __restrict fp, char * __restrict buf, int
mode, size_t size)
* when setting _IONBF.
*/
if (mode != _IONBF)
- if ((mode != _IOFBF && mode != _IOLBF) || (int)size < 0)
+ if ((mode != _IOFBF && mode != _IOLBF) || size > INT_MAX)
return (EOF);
FLOCKFILE_CANCELSAFE(fp);
