* mpool/mpool.c (mpool_get, mpool_write): Check that the offset calculation

didn't overflow.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@16495 dc483132-0cff-0310-8789-dd5450dbe970

2 files changed, 17 insertions, 0 deletions

diff --git a/src/util/db2/ChangeLog b/src/util/db2/ChangeLog
index 146525c81..6ac7cfab9 100644
--- a/src/util/db2/ChangeLog
+++ b/src/util/db2/ChangeLog
@@ -1,3 +1,8 @@
+2004-06-15  Ken Raeburn  <raeburn@mit.edu>
+
+	* mpool/mpool.c (mpool_get, mpool_write): Check that the offset
+	calculation didn't overflow.
+
 2004-06-11  Ken Raeburn  <raeburn@mit.edu>
 
 	* Makefile.in (include/generated.stmp): New intermediate target
diff --git a/src/util/db2/mpool/mpool.c b/src/util/db2/mpool/mpool.c
index 12e557d03..d172f71ba 100644
--- a/src/util/db2/mpool/mpool.c
+++ b/src/util/db2/mpool/mpool.c
@@ -227,6 +227,12 @@ mpool_get(mp, pgno, flags)
 	++mp->pageread;
 #endif
 	off = mp->pagesize * pgno;
+	if (off / mp->pagesize != pgno) {
+	    /* Run past the end of the file, or at least the part we
+	       can address without large-file support?  */
+	    errno = E2BIG;
+	    return NULL;
+	}
 	if (lseek(mp->fd, off, SEEK_SET) != off)
 		return (NULL);
 
@@ -416,6 +422,12 @@ mpool_write(mp, bp)
 		(mp->pgout)(mp->pgcookie, bp->pgno, bp->page);
 
 	off = mp->pagesize * bp->pgno;
+	if (off / mp->pagesize != bp->pgno) {
+	    /* Run past the end of the file, or at least the part we
+	       can address without large-file support?  */
+	    errno = E2BIG;
+	    return RET_ERROR;
+	}
 	if (lseek(mp->fd, off, SEEK_SET) != off)
 		return (RET_ERROR);
 	if (write(mp->fd, bp->page, mp->pagesize) != mp->pagesize)