From dd5afc0eb66ce434cb58ddc7f6ba247f37674b5a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Kai=20M=C3=A4kisara?= <kai.makisara@kolumbus.fi>
Date: Thu, 11 Feb 2016 13:45:33 +0200
Subject: [PATCH] Check for overflow when using k, M or G

Check that using a postfix (k, M, G) with repeat count does not cause
overflow in the int mtop.mt_count.
---
 mt.c | 19 ++++++++++++++++---
 1 file changed, 16 insertions(+), 3 deletions(-)

diff --git a/mt.c b/mt.c
index c39fbff..343934c 100644
--- a/mt.c
+++ b/mt.c
@@ -16,6 +16,7 @@
 #include <ctype.h>
 #include <errno.h>
 #include <fcntl.h>
+#include <limits.h>
 #include <sys/types.h>
 #include <sys/ioctl.h>
 #include <sys/stat.h>
@@ -444,18 +445,30 @@ usage(int explain)
 	static int
 do_standard(int mtfd, cmdef_tr *cmd, int argc, char **argv)
 {
+    int multiplier, max_count;
     struct mtop mt_com;
     char *endp;
 
     mt_com.mt_op = cmd->cmd_code;
     mt_com.mt_count = (argc > 0 ? strtol(*argv, &endp, 0) : 1);
     if (argc > 0 && endp != *argv) {
+	multiplier = 1;
 	if (*endp == 'k')
-	    mt_com.mt_count *= 1024;
+	    multiplier = 1024;
 	else if (*endp == 'M')
-	    mt_com.mt_count *= 1024 * 1024;
+	    multiplier = 1024 * 1024;
 	else if (*endp == 'G')
-	    mt_com.mt_count *= 1024 * 1024 * 1024;
+	    multiplier = 1024 * 1024 * 1024;
+	else if (*endp != 0) {
+	    fprintf(stderr, "mt: illegal count unit.\n");
+	    return 3;
+	}
+	max_count = INT_MAX / multiplier;
+	if (mt_com.mt_count > max_count) {
+	    fprintf(stderr, "mt: repeat count too large.\n");
+	    return 3;
+	}
+	mt_com.mt_count *= multiplier;
     }
     mt_com.mt_count |= cmd->cmd_count_bits;
     if (mt_com.mt_count < 0) {