=================================================================== RCS file: /cvsrepo/anoncvs/cvs/src/usr.bin/tmux/cmd-load-buffer.c,v retrieving revision 1.8 retrieving revision 1.9 diff -u -r1.8 -r1.9 --- src/usr.bin/tmux/cmd-load-buffer.c 2009/11/13 19:53:29 1.8 +++ src/usr.bin/tmux/cmd-load-buffer.c 2009/11/26 22:28:24 1.9 @@ -1,4 +1,4 @@ -/* $OpenBSD: cmd-load-buffer.c,v 1.8 2009/11/13 19:53:29 nicm Exp $ */ +/* $OpenBSD: cmd-load-buffer.c,v 1.9 2009/11/26 22:28:24 nicm Exp $ */ /* * Copyright (c) 2009 Tiago Cunha @@ -50,7 +50,8 @@ struct session *s; struct stat sb; FILE *f; - u_char *buf; + char *pdata = NULL; + size_t psize; u_int limit; if ((s = cmd_find_session(ctx, data->target)) == NULL) @@ -63,39 +64,45 @@ if (fstat(fileno(f), &sb) < 0) { ctx->error(ctx, "%s: %s", data->arg, strerror(errno)); - fclose(f); - return (-1); + goto error; } + if (sb.st_size > SIZE_MAX) { + ctx->error(ctx, "%s: file too large", data->arg); + goto error; + } + psize = (size_t) sb.st_size; /* * We don't want to die due to memory exhaustion, hence xmalloc can't * be used here. */ - if ((buf = malloc(sb.st_size + 1)) == NULL) { + if ((pdata = malloc(psize)) == NULL) { ctx->error(ctx, "malloc error: %s", strerror(errno)); - fclose(f); - return (-1); + goto error; } - if (fread(buf, 1, sb.st_size, f) != (size_t) sb.st_size) { + if (fread(pdata, 1, psize, f) != psize) { ctx->error(ctx, "%s: fread error", data->arg); - xfree(buf); - fclose(f); - return (-1); + goto error; } fclose(f); limit = options_get_number(&s->options, "buffer-limit"); if (data->buffer == -1) { - paste_add(&s->buffers, buf, sb.st_size, limit); + paste_add(&s->buffers, pdata, psize, limit); return (0); } - if (paste_replace(&s->buffers, data->buffer, buf, sb.st_size) != 0) { + if (paste_replace(&s->buffers, data->buffer, pdata, psize) != 0) { ctx->error(ctx, "no buffer %d", data->buffer); - xfree(buf); - return (-1); + goto error; } return (0); + +error: + if (pdata != NULL) + xfree(pdata); + fclose(f); + return (-1); }