From 1a650ca58fdebc65caed223dbfd24091808056c3 Mon Sep 17 00:00:00 2001 From: jilles Date: Fri, 28 Sep 2018 12:29:53 +0000 Subject: [PATCH] MFC r338473: sh: Fix formal overflow in pointer arithmetic The intention is to lower the value of the pointer, which according to ubsan cannot be done by adding an unsigned quantity. Reported by: kevans --- bin/sh/expand.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/bin/sh/expand.c b/bin/sh/expand.c index 6d0aaf38fc0..9e662b7df22 100644 --- a/bin/sh/expand.c +++ b/bin/sh/expand.c @@ -896,7 +896,7 @@ reprocess(int startloc, int flag, int subtype, int quoted, startp = stackblock() + startloc; len = expdest - startp; - if (len >= SIZE_MAX / 2) + if (len >= SIZE_MAX / 2 || len > PTRDIFF_MAX) abort(); INTOFF; if (len >= buflen) { @@ -912,7 +912,7 @@ reprocess(int startloc, int flag, int subtype, int quoted, INTON; memcpy(buf, startp, len); buf[len] = '\0'; - STADJUST(-len, expdest); + STADJUST(-(ptrdiff_t)len, expdest); for (zpos = 0;;) { zlen = strlen(buf + zpos); strtodest(buf + zpos, flag, subtype, quoted, dst); -- 2.45.0