Imported Upstream version 4.4upstream/4.4

1 files changed, 31 insertions, 4 deletions

diff --git a/libmisc/idmapping.c b/libmisc/idmapping.c
index 714c29eb..db254fcb 100644
--- a/libmisc/idmapping.c
+++ b/libmisc/idmapping.c
@@ -70,13 +70,40 @@ struct map_range *get_map_ranges(int ranges, int argc, char **argv)
 
 	/* Gather up the ranges from the command line */
 	mapping = mappings;
-	for (idx = 0; idx < ranges; idx++, argidx += 3, mapping++) {
-		if (!getulong(argv[argidx + 0], &mapping->upper))
+	for (idx = 0, argidx = 0; idx < ranges; idx++, argidx += 3, mapping++) {
+		if (!getulong(argv[argidx + 0], &mapping->upper)) {
+			free(mappings);
 			return NULL;
-		if (!getulong(argv[argidx + 1], &mapping->lower))
+		}
+		if (!getulong(argv[argidx + 1], &mapping->lower)) {
+			free(mappings);
 			return NULL;
-		if (!getulong(argv[argidx + 2], &mapping->count))
+		}
+		if (!getulong(argv[argidx + 2], &mapping->count)) {
+			free(mappings);
 			return NULL;
+		}
+		if (ULONG_MAX - mapping->upper <= mapping->count || ULONG_MAX - mapping->lower <= mapping->count) {
+			fprintf(stderr, _( "%s: subuid overflow detected.\n"), Prog);
+			exit(EXIT_FAILURE);
+		}
+		if (mapping->upper > UINT_MAX ||
+			mapping->lower > UINT_MAX ||
+			mapping->count > UINT_MAX)  {
+			fprintf(stderr, _( "%s: subuid overflow detected.\n"), Prog);
+			exit(EXIT_FAILURE);
+		}
+		if (mapping->lower + mapping->count > UINT_MAX ||
+				mapping->upper + mapping->count > UINT_MAX) {
+			fprintf(stderr, _( "%s: subuid overflow detected.\n"), Prog);
+			exit(EXIT_FAILURE);
+		}
+		if (mapping->lower + mapping->count < mapping->lower ||
+				mapping->upper + mapping->count < mapping->upper) {
+			/* this one really shouldn't be possible given previous checks */
+			fprintf(stderr, _( "%s: subuid overflow detected.\n"), Prog);
+			exit(EXIT_FAILURE);
+		}
 	}
 	return mappings;
 }