tailf crashes with a segmentation fault when used with a file that is
exactly 4GB in size due to an integer overflow between off_t and size_t:
$ dd if=/dev/zero of=tailf.crash bs=1 count=1 seek=4294967295
$ tailf tailf.crash
Segmentation fault
$ _
Signed-off-by: Tobias Stoeckmann <tobias@xxxxxxxxxxxxxx>
---
text-utils/tailf.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/text-utils/tailf.c b/text-utils/tailf.c
index ea082c7..e9ba49b 100644
--- a/text-utils/tailf.c
+++ b/text-utils/tailf.c
@@ -42,6 +42,7 @@
#include <errno.h>
#include <getopt.h>
#include <sys/mman.h>
+#include <limits.h>
#ifdef HAVE_INOTIFY_INIT
#include <sys/inotify.h>
@@ -55,7 +56,7 @@
#define DEFAULT_LINES 10
-/* st->st_size has to be greater than zero! */
+/* st->st_size has to be greater than zero and smaller or equal to SIZE_MAX! */
static void tailf(const char *filename, size_t lines, struct stat *st)
{
int fd;
@@ -281,7 +282,7 @@ int main(int argc, char **argv)
err(EXIT_FAILURE, _("stat of %s failed"), filename);
if (!S_ISREG(st.st_mode))
errx(EXIT_FAILURE, _("%s: is not a file"), filename);
- if (st.st_size)
+ if (st.st_size && st.st_size <= SIZE_MAX)
tailf(filename, lines, &st);
#ifdef HAVE_INOTIFY_INIT
--
2.9.0
--
To unsubscribe from this list: send the line "unsubscribe util-linux" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
