commit aa75acde9c5f406b658c54827bc596cf96d7c64e
from: Omar Polo <op@omarpolo.com>
via: Thomas Adam <thomas@xteddy.org>
date: Tue Oct 25 19:41:41 2022 UTC

check size before calling mmap(2)

It's only a preparatory step, as checking whether a size_t is less than
SIZE_MAX is moot.  In a follow-up commit, however, the `filesize' field
of the struct got_pack will become off_t and these checks will kick in.
This also makes consistent how we guard mmap(2) against empty files.

ok and improvements stsp@

commit - 6cf83e6acc490e33ba4d6792960b0f4f2bc8b674
commit + aa75acde9c5f406b658c54827bc596cf96d7c64e
blob - 122912230183b57a2dc0f9b5b9296607ef96a63b
blob + 19746f0302685d703da8189d3fbf10701c218f59
--- lib/object.c
+++ lib/object.c
@@ -926,7 +926,10 @@ got_object_raw_alloc(struct got_raw_object **obj, uint
     size_t hdrlen, off_t size)
 {
 	const struct got_error *err = NULL;
+	off_t tot;
 
+	tot = hdrlen + size;
+
 	*obj = calloc(1, sizeof(**obj));
 	if (*obj == NULL) {
 		err = got_error_from_errno("calloc");
@@ -944,13 +947,13 @@ got_object_raw_alloc(struct got_raw_object **obj, uint
 			goto done;
 		}
 
-		if (sb.st_size != hdrlen + size) {
+		if (sb.st_size != tot) {
 			err = got_error(GOT_ERR_PRIVSEP_LEN);
 			goto done;
 		}
 #ifndef GOT_PACK_NO_MMAP
-		if (hdrlen + size > 0) {
-			(*obj)->data = mmap(NULL, hdrlen + size, PROT_READ,
+		if (tot > 0 && tot <= SIZE_MAX) {
+			(*obj)->data = mmap(NULL, tot, PROT_READ,
 			    MAP_PRIVATE, *outfd, 0);
 			if ((*obj)->data == MAP_FAILED) {
 				if (errno != ENOMEM) {
blob - 80b3a23a972cff84ee9fa8845cef55a934659e03
blob + 37cb6aff26ef4f493097e1aea54d0850d54eccc8
--- lib/pack.c
+++ lib/pack.c
@@ -389,13 +389,15 @@ got_packidx_open(struct got_packidx **packidx,
 	}
 
 #ifndef GOT_PACK_NO_MMAP
-	p->map = mmap(NULL, p->len, PROT_READ, MAP_PRIVATE, p->fd, 0);
-	if (p->map == MAP_FAILED) {
-		if (errno != ENOMEM) {
-			err = got_error_from_errno("mmap");
-			goto done;
+	if (p->len > 0 && p->len <= SIZE_MAX) {
+		p->map = mmap(NULL, p->len, PROT_READ, MAP_PRIVATE, p->fd, 0);
+		if (p->map == MAP_FAILED) {
+			if (errno != ENOMEM) {
+				err = got_error_from_errno("mmap");
+				goto done;
+			}
+			p->map = NULL; /* fall back to read(2) */
 		}
-		p->map = NULL; /* fall back to read(2) */
 	}
 #endif
 
@@ -1033,7 +1035,6 @@ static const struct got_error *
 resolve_offset_delta(struct got_delta_chain *deltas,
     struct got_packidx *packidx, struct got_pack *pack, off_t delta_offset,
     size_t tslen, int delta_type, size_t delta_size, unsigned int recursion)
-
 {
 	const struct got_error *err;
 	off_t base_offset;
blob - b48c09418db3950ebd066f81eb64d7d89c74da8d
blob + 21cef21a957f01b6963070f9d14fcec19d630204
--- lib/repository.c
+++ lib/repository.c
@@ -1424,14 +1424,16 @@ got_repo_cache_pack(struct got_pack **packp, struct go
 		goto done;
 
 #ifndef GOT_PACK_NO_MMAP
-	pack->map = mmap(NULL, pack->filesize, PROT_READ, MAP_PRIVATE,
-	    pack->fd, 0);
-	if (pack->map == MAP_FAILED) {
-		if (errno != ENOMEM) {
-			err = got_error_from_errno("mmap");
-			goto done;
+	if (pack->filesize > 0 && pack->filesize <= SIZE_MAX) {
+		pack->map = mmap(NULL, pack->filesize, PROT_READ, MAP_PRIVATE,
+		    pack->fd, 0);
+		if (pack->map == MAP_FAILED) {
+			if (errno != ENOMEM) {
+				err = got_error_from_errno("mmap");
+				goto done;
+			}
+			pack->map = NULL; /* fall back to read(2) */
 		}
-		pack->map = NULL; /* fall back to read(2) */
 	}
 #endif
 done:
blob - d9df223c4e86a5d5d14be7f9e6f64d9f96fcfcb1
blob + a0f1d4ae390427012f9e7eb33d474c2bfb450b32
--- libexec/got-index-pack/got-index-pack.c
+++ libexec/got-index-pack/got-index-pack.c
@@ -194,10 +194,12 @@ main(int argc, char **argv)
 	}
 
 #ifndef GOT_PACK_NO_MMAP
-	pack.map = mmap(NULL, pack.filesize, PROT_READ, MAP_PRIVATE,
-	    pack.fd, 0);
-	if (pack.map == MAP_FAILED)
-		pack.map = NULL; /* fall back to read(2) */
+	if (pack.filesize > 0 && pack.filesize <= SIZE_MAX) {
+		pack.map = mmap(NULL, pack.filesize, PROT_READ, MAP_PRIVATE,
+		    pack.fd, 0);
+		if (pack.map == MAP_FAILED)
+			pack.map = NULL; /* fall back to read(2) */
+	}
 #endif
 	err = got_pack_index(&pack, idxfd, tmpfiles[0], tmpfiles[1],
 	    tmpfiles[2], pack_hash, send_index_pack_progress, &ibuf, &rl);
blob - 0ef5492a6774b94872b024b057f3dc9e562b9550
blob + 815281ce0fb9589454f5a668f6cfa75c3374d466
--- libexec/got-read-pack/got-read-pack.c
+++ libexec/got-read-pack/got-read-pack.c
@@ -1146,9 +1146,11 @@ receive_packidx(struct got_packidx **packidx, struct i
 	}
 
 #ifndef GOT_PACK_NO_MMAP
-	p->map = mmap(NULL, p->len, PROT_READ, MAP_PRIVATE, p->fd, 0);
-	if (p->map == MAP_FAILED)
-		p->map = NULL; /* fall back to read(2) */
+	if (p->len > 0 && p->len <= SIZE_MAX) {
+		p->map = mmap(NULL, p->len, PROT_READ, MAP_PRIVATE, p->fd, 0);
+		if (p->map == MAP_FAILED)
+			p->map = NULL; /* fall back to read(2) */
+	}
 #endif
 	err = got_packidx_init_hdr(p, 1, ipackidx.packfile_size);
 done:
@@ -1874,10 +1876,12 @@ receive_pack(struct got_pack **packp, struct imsgbuf *
 		goto done;
 
 #ifndef GOT_PACK_NO_MMAP
-	pack->map = mmap(NULL, pack->filesize, PROT_READ, MAP_PRIVATE,
-	    pack->fd, 0);
-	if (pack->map == MAP_FAILED)
-		pack->map = NULL; /* fall back to read(2) */
+	if (pack->filesize > 0 && pack->filesize <= SIZE_MAX) {
+		pack->map = mmap(NULL, pack->filesize, PROT_READ, MAP_PRIVATE,
+		    pack->fd, 0);
+		if (pack->map == MAP_FAILED)
+			pack->map = NULL; /* fall back to read(2) */
+	}
 #endif
 done:
 	if (err) {