From a2229407e54a7e9afdb4310b426fa14676c893f7 Mon Sep 17 00:00:00 2001
From: Juli Mallett <jmallett@FreeBSD.org>
Date: Wed, 17 Oct 2007 11:41:40 +0000
Subject: [PATCH] Prevent strange crashes in fmt with absurd goal lengths
 introduced by the support for wide characters.

If the sizeof (wchar_t) times max_length would yield a value beyond
representation in a size_t, exit with a usage error up front, rather than
strange errors down the line from trying to malloc (well, realloc) with a size
of 0.

This is perhaps not the optimal behaviour - a clamp may be more appropriate as
we clamp the value of max_length now anyway, but this is at least better than
segfaulting or worse.  On systems which are friendly to malloc with a value of 0
the results could end up being strange corruption of the output.
---
 usr.bin/fmt/fmt.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/usr.bin/fmt/fmt.c b/usr.bin/fmt/fmt.c
index 33f92b1b82d5..ed85c2e49f2a 100644
--- a/usr.bin/fmt/fmt.c
+++ b/usr.bin/fmt/fmt.c
@@ -176,6 +176,7 @@ static const char copyright[] =
 __FBSDID("$FreeBSD$");
 
 #include <err.h>
+#include <limits.h>
 #include <locale.h>
 #include <stdio.h>
 #include <stdlib.h>
@@ -351,6 +352,7 @@ main(int argc, char *argv[]) {
   }
   if (goal_length==0) goal_length = 65;
   if (max_length==0) max_length = goal_length+10;
+  if (max_length >= SIZE_T_MAX / sizeof (wchar_t)) errx(EX_USAGE, "max length too large");
   /* really needn't be longer */
   output_buffer = XMALLOC((max_length+1) * sizeof(wchar_t));