From c550ff5b95f8e659f091109cc33e185197ee0b87 Mon Sep 17 00:00:00 2001
From: Ken Raeburn <raeburn@mit.edu>
Date: Sat, 19 Jun 2004 00:28:06 +0000
Subject: [PATCH] * mpool/mpool.c (mpool_get, mpool_write): Check that the
 offset calculation didn't overflow.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@16495 dc483132-0cff-0310-8789-dd5450dbe970
---
 src/util/db2/ChangeLog     |  5 +++++
 src/util/db2/mpool/mpool.c | 12 ++++++++++++
 2 files changed, 17 insertions(+)

diff --git a/src/util/db2/ChangeLog b/src/util/db2/ChangeLog
index 146525c81..6ac7cfab9 100644
--- a/src/util/db2/ChangeLog
+++ b/src/util/db2/ChangeLog
@@ -1,3 +1,8 @@
+2004-06-15  Ken Raeburn  <raeburn@mit.edu>
+
+	* mpool/mpool.c (mpool_get, mpool_write): Check that the offset
+	calculation didn't overflow.
+
 2004-06-11  Ken Raeburn  <raeburn@mit.edu>
 
 	* Makefile.in (include/generated.stmp): New intermediate target
diff --git a/src/util/db2/mpool/mpool.c b/src/util/db2/mpool/mpool.c
index 12e557d03..d172f71ba 100644
--- a/src/util/db2/mpool/mpool.c
+++ b/src/util/db2/mpool/mpool.c
@@ -227,6 +227,12 @@ mpool_get(mp, pgno, flags)
 	++mp->pageread;
 #endif
 	off = mp->pagesize * pgno;
+	if (off / mp->pagesize != pgno) {
+	    /* Run past the end of the file, or at least the part we
+	       can address without large-file support?  */
+	    errno = E2BIG;
+	    return NULL;
+	}
 	if (lseek(mp->fd, off, SEEK_SET) != off)
 		return (NULL);
 
@@ -416,6 +422,12 @@ mpool_write(mp, bp)
 		(mp->pgout)(mp->pgcookie, bp->pgno, bp->page);
 
 	off = mp->pagesize * bp->pgno;
+	if (off / mp->pagesize != bp->pgno) {
+	    /* Run past the end of the file, or at least the part we
+	       can address without large-file support?  */
+	    errno = E2BIG;
+	    return RET_ERROR;
+	}
 	if (lseek(mp->fd, off, SEEK_SET) != off)
 		return (RET_ERROR);
 	if (write(mp->fd, bp->page, mp->pagesize) != mp->pagesize)
-- 
2.26.2