From 5a04faeb71440b1f24533a07e5230c7d4655f7da Mon Sep 17 00:00:00 2001
From: cheloha <cheloha@openbsd.org>
Date: Mon, 23 Jul 2018 23:09:37 +0000
Subject: [PATCH] Don't cast malloc(3) size to u_int.

Large buffer sizes on 64-bit platforms cause the sum to wrap, leading
read(2) to fail later.

We check prior to this point that all buffer sizes are <= SSIZE_MAX.
SSIZE_MAX * 2 < SIZE_MAX on all platforms, so the addition here will
not overflow and cause a similar issue.

Discovered by tobias@ a while back.

ok deraadt millert tobias
---
 bin/dd/dd.c | 14 +++++++++-----
 1 file changed, 9 insertions(+), 5 deletions(-)

diff --git a/bin/dd/dd.c b/bin/dd/dd.c
index 1c20697f66e..94c38fe8c53 100644
--- a/bin/dd/dd.c
+++ b/bin/dd/dd.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: dd.c,v 1.24 2017/08/13 02:06:42 tedu Exp $	*/
+/*	$OpenBSD: dd.c,v 1.25 2018/07/23 23:09:37 cheloha Exp $	*/
 /*	$NetBSD: dd.c,v 1.6 1996/02/20 19:29:06 jtc Exp $	*/
 
 /*-
@@ -136,10 +136,14 @@ setup(void)
 		if ((in.db = malloc(out.dbsz + in.dbsz - 1)) == NULL)
 			err(1, "input buffer");
 		out.db = in.db;
-	} else if ((in.db =
-	    malloc((u_int)(MAXIMUM(in.dbsz, cbsz) + cbsz))) == NULL ||
-	    (out.db = malloc((u_int)(out.dbsz + cbsz))) == NULL)
-		err(1, "output buffer");
+	} else {
+		in.db = malloc(MAXIMUM(in.dbsz, cbsz) + cbsz);
+		if (in.db == NULL)
+			err(1, "input buffer");
+		out.db = malloc(out.dbsz + cbsz);
+		if (out.db == NULL)
+			err(1, "output buffer");
+	}
 	in.dbp = in.db;
 	out.dbp = out.db;
 
-- 
2.20.1