Fix an integer overflow for very long lines by replacing the datatype of 2 offsets from int to regoff_t.

Bail if the given size_t line length doesn't fit into the new regoff_t.

"I don't think you will ever be able to get a string longer than
SSIZE_MAX into memory, but that looks good." tedu@

"Agreed" otto@

regoff_t suggested by otto@

1 files changed, 9 insertions, 3 deletions

diff --git a/usr.bin/grep/util.c b/usr.bin/grep/util.c
index 6e5e28983c0..2c765d594f9 100644
--- a/usr.bin/grep/util.c
+++ b/usr.bin/grep/util.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: util.c,v 1.41 2011/07/11 20:43:21 tedu Exp $	*/
+/*	$OpenBSD: util.c,v 1.42 2011/07/17 19:39:21 aschrijver Exp $	*/
 
 /*-
  * Copyright (c) 1999 James Howard and Dag-Erling Coïdan Smørgrav
@@ -169,7 +169,13 @@ procline(str_t *l, int nottext)
 {
 	regmatch_t	pmatch;
 	int		c, i, r;
-	int		offset;
+	regoff_t	offset;
+
+	/* size_t will be converted to regoff_t. ssize_t is guaranteed to fit
+	 * into regoff_t */
+	if (l->len > SSIZE_MAX) {
+		errx(2, "Line is too big to process");
+	}
 
 	c = 0;
 	i = 0;
@@ -444,7 +450,7 @@ grep_search(fastgrep_t *fg, char *data, size_t dataLen, regmatch_t *pmatch)
 #ifdef SMALL
 	return 0;
 #else
-	int j;
+	regoff_t j;
 	int rtrnVal = REG_NOMATCH;
 
 	pmatch->rm_so = -1;