* mpool/mpool.c (mpool_get, mpool_write): Check that the offset calculation

didn't overflow.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@16495 dc483132-0cff-0310-8789-dd5450dbe970

diff --git a/src/util/db2/ChangeLog b/src/util/db2/ChangeLog
index 146525c81edd600c4ef6bc45a529a7f05025e925..6ac7cfab983062943a914bd9efe4db4a218e82b2 100644 (file)
--- a/src/util/db2/ChangeLog
+++ b/src/util/db2/ChangeLog
@@ -1,3 +1,8 @@
+2004-06-15  Ken Raeburn  <raeburn@mit.edu>
+
+       * mpool/mpool.c (mpool_get, mpool_write): Check that the offset
+       calculation didn't overflow.
+
 2004-06-11  Ken Raeburn  <raeburn@mit.edu>
 
        * Makefile.in (include/generated.stmp): New intermediate target

diff --git a/src/util/db2/mpool/mpool.c b/src/util/db2/mpool/mpool.c
index 12e557d03140fa75dd9860a228d1d8ecd38e51f0..d172f71baab36ec2aae03c85ad7153f10a80b765 100644 (file)
--- a/src/util/db2/mpool/mpool.c
+++ b/src/util/db2/mpool/mpool.c
@@ -227,6 +227,12 @@ mpool_get(mp, pgno, flags)
        ++mp->pageread;
 #endif
        off = mp->pagesize * pgno;
+       if (off / mp->pagesize != pgno) {
+           /* Run past the end of the file, or at least the part we
+              can address without large-file support?  */
+           errno = E2BIG;
+           return NULL;
+       }
        if (lseek(mp->fd, off, SEEK_SET) != off)
                return (NULL);
 
@@ -416,6 +422,12 @@ mpool_write(mp, bp)
                (mp->pgout)(mp->pgcookie, bp->pgno, bp->page);
 
        off = mp->pagesize * bp->pgno;
+       if (off / mp->pagesize != bp->pgno) {
+           /* Run past the end of the file, or at least the part we
+              can address without large-file support?  */
+           errno = E2BIG;
+           return RET_ERROR;
+       }
        if (lseek(mp->fd, off, SEEK_SET) != off)
                return (RET_ERROR);
        if (write(mp->fd, bp->page, mp->pagesize) != mp->pagesize)