===================================================================
RCS file: /cvsrepo/anoncvs/cvs/src/usr.bin/tmux/cmd-load-buffer.c,v
retrieving revision 1.8
retrieving revision 1.9
diff -c -r1.8 -r1.9
*** src/usr.bin/tmux/cmd-load-buffer.c	2009/11/13 19:53:29	1.8
--- src/usr.bin/tmux/cmd-load-buffer.c	2009/11/26 22:28:24	1.9
***************
*** 1,4 ****
! /* $OpenBSD: cmd-load-buffer.c,v 1.8 2009/11/13 19:53:29 nicm Exp $ */
  
  /*
   * Copyright (c) 2009 Tiago Cunha <me@tiagocunha.org>
--- 1,4 ----
! /* $OpenBSD: cmd-load-buffer.c,v 1.9 2009/11/26 22:28:24 nicm Exp $ */
  
  /*
   * Copyright (c) 2009 Tiago Cunha <me@tiagocunha.org>
***************
*** 50,56 ****
  	struct session		*s;
  	struct stat		 sb;
  	FILE			*f;
! 	u_char		      	*buf;
  	u_int			 limit;
  
  	if ((s = cmd_find_session(ctx, data->target)) == NULL)
--- 50,57 ----
  	struct session		*s;
  	struct stat		 sb;
  	FILE			*f;
! 	char		      	*pdata = NULL;
! 	size_t			 psize;
  	u_int			 limit;
  
  	if ((s = cmd_find_session(ctx, data->target)) == NULL)
***************
*** 63,101 ****
  
  	if (fstat(fileno(f), &sb) < 0) {
  		ctx->error(ctx, "%s: %s", data->arg, strerror(errno));
! 		fclose(f);
! 		return (-1);
  	}
  
  	/*
  	 * We don't want to die due to memory exhaustion, hence xmalloc can't
  	 * be used here.
  	 */
! 	if ((buf = malloc(sb.st_size + 1)) == NULL) {
  		ctx->error(ctx, "malloc error: %s", strerror(errno));
! 		fclose(f);
! 		return (-1);
  	}
  
! 	if (fread(buf, 1, sb.st_size, f) != (size_t) sb.st_size) {
  		ctx->error(ctx, "%s: fread error", data->arg);
! 		xfree(buf);
! 		fclose(f);
! 		return (-1);
  	}
  
  	fclose(f);
  
  	limit = options_get_number(&s->options, "buffer-limit");
  	if (data->buffer == -1) {
! 		paste_add(&s->buffers, buf, sb.st_size, limit);
  		return (0);
  	}
! 	if (paste_replace(&s->buffers, data->buffer, buf, sb.st_size) != 0) {
  		ctx->error(ctx, "no buffer %d", data->buffer);
! 		xfree(buf);
! 		return (-1);
  	}
  
  	return (0);
  }
--- 64,108 ----
  
  	if (fstat(fileno(f), &sb) < 0) {
  		ctx->error(ctx, "%s: %s", data->arg, strerror(errno));
! 		goto error;
  	}
+ 	if (sb.st_size > SIZE_MAX) {
+ 		ctx->error(ctx, "%s: file too large", data->arg);
+ 		goto error;
+ 	}
+ 	psize = (size_t) sb.st_size;
  
  	/*
  	 * We don't want to die due to memory exhaustion, hence xmalloc can't
  	 * be used here.
  	 */
! 	if ((pdata = malloc(psize)) == NULL) {
  		ctx->error(ctx, "malloc error: %s", strerror(errno));
! 		goto error;
  	}
  
! 	if (fread(pdata, 1, psize, f) != psize) {
  		ctx->error(ctx, "%s: fread error", data->arg);
! 		goto error;
  	}
  
  	fclose(f);
  
  	limit = options_get_number(&s->options, "buffer-limit");
  	if (data->buffer == -1) {
! 		paste_add(&s->buffers, pdata, psize, limit);
  		return (0);
  	}
! 	if (paste_replace(&s->buffers, data->buffer, pdata, psize) != 0) {
  		ctx->error(ctx, "no buffer %d", data->buffer);
! 		goto error;
  	}
  
  	return (0);
+ 
+ error:
+ 	if (pdata != NULL)
+ 		xfree(pdata);
+ 	fclose(f);
+ 	return (-1);
  }