From 4269bba2eb79d2011a11572e9a0f681b8e9082ff Mon Sep 17 00:00:00 2001 From: Jilles Tjoelker Date: Wed, 5 Sep 2018 19:16:09 +0000 Subject: [PATCH] sh: Fix formal overflow in pointer arithmetic The intention is to lower the value of the pointer, which according to ubsan cannot be done by adding an unsigned quantity. Reported by: kevans Approved by: re (kib) MFC after: 1 week --- bin/sh/expand.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/bin/sh/expand.c b/bin/sh/expand.c index f2287bea5605..6316400c88d5 100644 --- a/bin/sh/expand.c +++ b/bin/sh/expand.c @@ -896,7 +896,7 @@ reprocess(int startloc, int flag, int subtype, int quoted, startp = stackblock() + startloc; len = expdest - startp; - if (len >= SIZE_MAX / 2) + if (len >= SIZE_MAX / 2 || len > PTRDIFF_MAX) abort(); INTOFF; if (len >= buflen) { @@ -912,7 +912,7 @@ reprocess(int startloc, int flag, int subtype, int quoted, INTON; memcpy(buf, startp, len); buf[len] = '\0'; - STADJUST(-len, expdest); + STADJUST(-(ptrdiff_t)len, expdest); for (zpos = 0;;) { zlen = strlen(buf + zpos); strtodest(buf + zpos, flag, subtype, quoted, dst);