Attachment #20405 for bug #54773

View | Details | Raw Unified | Return to bug 54773
Collapse All | Expand All

Lines 484-489 Link Here

(-)cvs-1.12.7.orig/src/commit.c (+5 lines)
484	operate on, and only work with those files in the future.	484	operate on, and only work with those files in the future.
485	This saves time--we don't want to search the file system	485	This saves time--we don't want to search the file system
486	of the working directory twice. */	486	of the working directory twice. */
		487	if (find_args.argc > (0x7fffffff / sizeof (char **)))
		488	{
		489	find_args.argc = 0;
		490	return 0;
		491	}
487	find_args.argv = (char *) xmalloc (find_args.argc sizeof (char **));	492	find_args.argv = (char *) xmalloc (find_args.argc sizeof (char **));
488	find_args.argc = 0;	493	find_args.argc = 0;
489	walklist (find_args.ulist, copy_ulist, &find_args);	494	walklist (find_args.ulist, copy_ulist, &find_args);

Lines 924-929 Link Here

(-)cvs-1.12.7.orig/src/filesubr.c (+6 lines)
924	expand_wild (int argc, char *argv, int pargc, char ***pargv)	924	expand_wild (int argc, char *argv, int pargc, char ***pargv)
925	{	925	{
926	int i;	926	int i;
		927	if (argc > (0x7fffffff / sizeof (char *))) {
		928	*pargc = 0;
		929	*pargv = NULL;
		930	error (0, 0, "expand_wild: too many arguments");
		931	return;
		932	}
927	*pargc = argc;	933	*pargc = argc;
928	pargv = (char ) xmalloc (argc sizeof (char *));	934	pargv = (char ) xmalloc (argc sizeof (char *));
929	for (i = 0; i < argc; ++i)	935	for (i = 0; i < argc; ++i)

Lines 412-419 Link Here

(-)cvs-1.12.7.orig/src/history.c (+18 lines)
412	working = 1;	412	working = 1;
413	break;	413	break;
414	case 'X': /* Undocumented debugging flag */	414	case 'X': /* Undocumented debugging flag */
		415	#ifdef DEBUG
415	histfile = optarg;	416	histfile = optarg;
		417	#endif
416	break;	418	break;
		419
417	case 'D': /* Since specified date */	420	case 'D': /* Since specified date */
418	if (since_rev \|\| since_tag \|\| *backto)	421	if (since_rev \|\| since_tag \|\| *backto)
419	{	422	{
Lines 898-903 Link Here
898	{	901	{
899	if (user_count == user_max)	902	if (user_count == user_max)
900	{	903	{
		904	if (user_max + USER_INCREMENT > (0x7FFFFFFF / sizeof (char *)))
		905	{
		906	error (0, 0, "save_user: too many users");
		907	return;
		908	}
901	user_max += USER_INCREMENT;	909	user_max += USER_INCREMENT;
902	user_list = (char *) xrealloc ((char ) user_list,	910	user_list = (char *) xrealloc ((char ) user_list,
903	(int) user_max * sizeof (char *));	911	(int) user_max * sizeof (char *));
Lines 925-930 Link Here
925		933
926	if (file_count == file_max)	934	if (file_count == file_max)
927	{	935	{
		936	if (file_max + FILE_INCREMENT > (0x7FFFFFFF / sizeof (*fl)))
		937	{
		938	error (0, 0, "save_file: too many files");
		939	return;
		940	}
928	file_max += FILE_INCREMENT;	941	file_max += FILE_INCREMENT;
929	file_list = (struct file_list_str ) xrealloc ((char ) file_list,	942	file_list = (struct file_list_str ) xrealloc ((char ) file_list,
930	file_max * sizeof (*fl));	943	file_max * sizeof (*fl));
Lines 965-970 Link Here
965	{	978	{
966	if (mod_count == mod_max)	979	if (mod_count == mod_max)
967	{	980	{
		981	if (mod_max + MODULE_INCREMENT > (0x7FFFFFFF / sizeof (char *)))
		982	{
		983	error (0, 0, "save_module: too many modules");
		984	return;
		985	}
968	mod_max += MODULE_INCREMENT;	986	mod_max += MODULE_INCREMENT;
969	mod_list = (char *) xrealloc ((char ) mod_list,	987	mod_list = (char *) xrealloc ((char ) mod_list,
970	mod_max * sizeof (char *));	988	mod_max * sizeof (char *));

Lines 886-892 Link Here

(-)cvs-1.12.7.orig/src/server.c (-3 / +22 lines)
886	int i;	886	int i;
887	char *p;	887	char *p;
888		888
889	if (lim < 0)	889	if (lim < 0 \|\| lim > 10000)
890	return;	890	return;
891	p = xmalloc (strlen (server_temp_dir) + 2 * lim + 10);	891	p = xmalloc (strlen (server_temp_dir) + 2 * lim + 10);
892	if (p == NULL)	892	if (p == NULL)
Lines 1936-1941 Link Here
1936	{	1936	{
1937	char *cp;	1937	char *cp;
1938		1938
		1939	if (!data[0])
		1940	goto error;
		1941
1939	if (strchr (data, '+'))	1942	if (strchr (data, '+'))
1940	goto error;	1943	goto error;
1941		1944
Lines 2068-2073 Link Here
2068	char *p;	2071	char *p;
2069		2072
2070	if (error_pending()) return;	2073	if (error_pending()) return;
		2074
		2075	if (argument_count >= 10000)
		2076	{
		2077	if (alloc_pending (80))
		2078	sprintf (pending_error_text,
		2079	"E Protocol error: too many arguments");
		2080	return;
		2081	}
2071		2082
2072	if (argument_vector_size <= argument_count)	2083	if (argument_vector_size <= argument_count)
2073	{	2084	{
Lines 2097-2102 Link Here
2097	char *p;	2108	char *p;
2098		2109
2099	if (error_pending()) return;	2110	if (error_pending()) return;
		2111
		2112	if (argument_count <= 1)
		2113	{
		2114	if (alloc_pending (80))
		2115	sprintf (pending_error_text,
		2116	"E Protocol error: called argumentx without prior call to argument");
		2117	return;
		2118	}
2100		2119
2101	p = argument_vector[argument_count - 1];	2120	p = argument_vector[argument_count - 1];
2102	p = xrealloc (p, strlen (p) + 1 + strlen (arg) + 1);	2121	p = xrealloc (p, strlen (p) + 1 + strlen (arg) + 1);
Lines 2423-2429 Link Here
2423	save some code here... -kff */	2442	save some code here... -kff */
2424		2443
2425	/* Chop newline by hand, for strcmp()'s sake. */	2444	/* Chop newline by hand, for strcmp()'s sake. */
2426	if (linebuf[num_red - 1] == '\n')	2445	if (num_red > 0 && linebuf[num_red - 1] == '\n')
2427	linebuf[num_red - 1] = '\0';	2446	linebuf[num_red - 1] = '\0';
2428		2447
2429	if (strcmp (linebuf, CVS_Username) == 0)	2448	if (strcmp (linebuf, CVS_Username) == 0)
Lines 2478-2484 Link Here
2478	while ((num_red = getline (&linebuf, &linebuf_len, fp)) >= 0)	2497	while ((num_red = getline (&linebuf, &linebuf_len, fp)) >= 0)
2479	{	2498	{
2480	/* Chop newline by hand, for strcmp()'s sake. */	2499	/* Chop newline by hand, for strcmp()'s sake. */
2481	if (linebuf[num_red - 1] == '\n')	2500	if (num_red > 0 && linebuf[num_red - 1] == '\n')
2482	linebuf[num_red - 1] = '\0';	2501	linebuf[num_red - 1] = '\0';
2483		2502
2484	if (strcmp (linebuf, CVS_Username) == 0)	2503	if (strcmp (linebuf, CVS_Username) == 0)




#endif /* SERVER_SUPPORT || CLIENT_SUPPORT */

/*
 * Remove fmt str specifier other than %% or %s. And allow
 * only max_s %s specifiers
 */
wrap_clean_fmt_str(char *fmt, int max_s)
{
    while (*fmt) {
	if (fmt[0] == '%' && fmt[1])
	{
	    if (fmt[1] == '%') 
		fmt++;
	    else
		if (fmt[1] == 's' && max_s > 0)
		{
		    max_s--;
		    fmt++;
		} else 
		    *fmt = ' ';
	}
	fmt++;
    }
    return;
}

/*
 * Open a file and read lines, feeding each line to a line parser. Arrange
 * for keeping a temporary list of wrappers at the end, if the "temp"
 * argument is set.

    args = xmalloc (strlen (e->tocvsFilter)
		    + strlen (fileName)
		    + strlen (buf));

    wrap_clean_fmt_str(e->tocvsFilter, 2);
       e->tocvsFilter ourselves and giving a real error.  */
    sprintf (args, e->tocvsFilter, fileName, buf);
    run_setup (args);
    run_exec(RUN_TTY, RUN_TTY, RUN_TTY, RUN_NORMAL|RUN_REALLY );


    args = xmalloc (strlen (e->fromcvsFilter)
		    + strlen (fileName));

    wrap_clean_fmt_str(e->fromcvsFilter, 1);
       e->fromcvsFilter ourselves and giving a real error.  */
    sprintf (args, e->fromcvsFilter, fileName);
    run_setup (args);
    run_exec(RUN_TTY, RUN_TTY, RUN_TTY, RUN_NORMAL );

Return to bug 54773

Lines 235-240 Link Here

(-)cvs-1.12.7.orig/src/wrapper.c (-6 / +28 lines)
235	#endif /* SERVER_SUPPORT \|\| CLIENT_SUPPORT */	235	#endif /* SERVER_SUPPORT \|\| CLIENT_SUPPORT */
236		236
237	/*	237	/*
		238	* Remove fmt str specifier other than %% or %s. And allow
		239	* only max_s %s specifiers
		240	*/
		241	wrap_clean_fmt_str(char *fmt, int max_s)
		242	{
		243	while (*fmt) {
		244	if (fmt[0] == '%' && fmt[1])
		245	{
		246	if (fmt[1] == '%')
		247	fmt++;
		248	else
		249	if (fmt[1] == 's' && max_s > 0)
		250	{
		251	max_s--;
		252	fmt++;
		253	} else
		254	*fmt = ' ';
		255	}
		256	fmt++;
		257	}
		258	return;
		259	}
		260
		261	/*
238	* Open a file and read lines, feeding each line to a line parser. Arrange	262	* Open a file and read lines, feeding each line to a line parser. Arrange
239	* for keeping a temporary list of wrappers at the end, if the "temp"	263	* for keeping a temporary list of wrappers at the end, if the "temp"
240	* argument is set.	264	* argument is set.
Lines 540-548 Link Here
540	args = xmalloc (strlen (e->tocvsFilter)	564	args = xmalloc (strlen (e->tocvsFilter)
541	+ strlen (fileName)	565	+ strlen (fileName)
542	+ strlen (buf));	566	+ strlen (buf));
543	/* FIXME: sprintf will blow up if the format string contains items other	567
544	than %s, or contains too many %s's. We should instead be parsing	568	wrap_clean_fmt_str(e->tocvsFilter, 2);
545	e->tocvsFilter ourselves and giving a real error. */
546	sprintf (args, e->tocvsFilter, fileName, buf);	569	sprintf (args, e->tocvsFilter, fileName, buf);
547	run_setup (args);	570	run_setup (args);
548	run_exec(RUN_TTY, RUN_TTY, RUN_TTY, RUN_NORMAL\|RUN_REALLY );	571	run_exec(RUN_TTY, RUN_TTY, RUN_TTY, RUN_NORMAL\|RUN_REALLY );
Lines 572-580 Link Here
572		595
573	args = xmalloc (strlen (e->fromcvsFilter)	596	args = xmalloc (strlen (e->fromcvsFilter)
574	+ strlen (fileName));	597	+ strlen (fileName));
575	/* FIXME: sprintf will blow up if the format string contains items other	598
576	than %s, or contains too many %s's. We should instead be parsing	599	wrap_clean_fmt_str(e->fromcvsFilter, 1);
577	e->fromcvsFilter ourselves and giving a real error. */
578	sprintf (args, e->fromcvsFilter, fileName);	600	sprintf (args, e->fromcvsFilter, fileName);
579	run_setup (args);	601	run_setup (args);
580	run_exec(RUN_TTY, RUN_TTY, RUN_TTY, RUN_NORMAL );	602	run_exec(RUN_TTY, RUN_TTY, RUN_TTY, RUN_NORMAL );