Check for possible overflow from sysconf _SC_ARG_MAX and error out in a

correct manner.  Revert my incorrect change to use err(3) for malloc(3)
failing.  Use a size_t variable to store the size of the argument buffer
we allocate, and remove silly casts as the result of having this around.
Modify the math in some of the paranoid checks for buffer overflow to
account for the fact we now are dealing with the actual size of the
buffer.  Remove the static qualifier for arg_max, and the bogus setting
of it to -1.

Include <limits.h> for the definitions we use to check for possible
overflows.

Submitted by:	bde

bin/ps/fmt.c

@@ -46,6 +46,7 @@ static char sccsid[] = "@(#)fmt.c	8.4 (Berkeley) 4/15/94";
 #include <sys/resource.h>
 
 #include <err.h>
+#include <limits.h>
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
@@ -64,7 +65,8 @@ static char *shquote(char **);
 static char *
 shquote(char **argv)
 {
-	static long arg_max = -1;
+	long arg_max;
+	static size_t buf_size;
 	size_t len;
 	char **p, *dst, *src;
 	static char *buf = NULL;
@@ -72,8 +74,11 @@ shquote(char **argv)
 	if (buf == NULL) {
 		if ((arg_max = sysconf(_SC_ARG_MAX)) == -1)
 			errx(1, "sysconf _SC_ARG_MAX failed");
-		if ((buf = malloc((size_t)(4 * arg_max) + 1)) == NULL)
-			err(1, "malloc");
+		if (arg_max >= LONG_MAX / 4 || 4 * arg_max + 1 > SIZE_MAX)
+			errx(1, "sysconf _SC_ARG_MAX preposterously large");
+		buf_size = 4 * arg_max + 1;
+		if ((buf = malloc(buf_size)) == NULL)
+			errx(1, "malloc failed");
 	}
 
 	if (*argv == 0) {
@@ -84,12 +89,12 @@ shquote(char **argv)
 	for (p = argv; (src = *p++) != 0; ) {
 		if (*src == 0)
 			continue;
-		len = (size_t)(4 * arg_max - (dst - buf)) / 4;
+		len = (buf_size - 1 - (dst - buf)) / 4;
 		strvisx(dst, src, strlen(src) < len ? strlen(src) : len,
 		    VIS_NL | VIS_CSTYLE);
 		while (*dst)
 			dst++;
-		if ((4 * arg_max - (dst - buf)) / 4 > 0)
+		if ((buf_size - 1 - (dst - buf)) / 4 > 0)
 			*dst++ = ' ';
 	}
 	/* Chop off trailing space */