From db6e1f035de2541b962ea85181d31d78835ed3cd Mon Sep 17 00:00:00 2001
From: dtucker <>
Date: Fri, 14 Oct 2016 18:19:04 +0000
Subject: [PATCH] Cast pointers to uintptr_t to avoid potential signedness
 errors. Based on patch from yuanjie.huang at windriver.com via OpenSSH
 bz#2608, with & ok millert, ok deraadt.

---
 src/lib/libc/string/strlcat.c | 12 +++++++++---
 src/lib/libc/string/strlcpy.c | 10 ++++++++--
 src/lib/libc/string/strnlen.c |  9 +++++++--
 3 files changed, 24 insertions(+), 7 deletions(-)

diff --git a/src/lib/libc/string/strlcat.c b/src/lib/libc/string/strlcat.c
index 073b0d42..410f448b 100644
--- a/src/lib/libc/string/strlcat.c
+++ b/src/lib/libc/string/strlcat.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: strlcat.c,v 1.16 2015/08/31 02:53:57 guenther Exp $	*/
+/*	$OpenBSD: strlcat.c,v 1.17 2016/10/14 18:19:04 dtucker Exp $	*/
 
 /*
  * Copyright (c) 1998, 2015 Todd C. Miller <Todd.Miller@courtesan.com>
@@ -18,6 +18,7 @@
 
 #include <sys/types.h>
 #include <string.h>
+#include <stdint.h>
 
 /*
  * Appends src to string dst of size dsize (unlike strncat, dsize is the
@@ -37,7 +38,7 @@ strlcat(char *dst, const char *src, size_t dsize)
 	/* Find the end of dst and adjust bytes left but don't go past end. */
 	while (n-- != 0 && *dst != '\0')
 		dst++;
-	dlen = dst - odst;
+	dlen = (uintptr_t)dst - (uintptr_t)odst;
 	n = dsize - dlen;
 
 	if (n-- == 0)
@@ -51,6 +52,11 @@ strlcat(char *dst, const char *src, size_t dsize)
 	}
 	*dst = '\0';
 
-	return(dlen + (src - osrc));	/* count does not include NUL */
+        /*
+	 * Cast pointers to unsigned type before calculation, to avoid signed
+	 * overflow when the string ends where the MSB has changed.
+	 * Return value does not include NUL.
+	 */
+	return (dlen + ((uintptr_t)src - (uintptr_t)osrc));
 }
 DEF_WEAK(strlcat);
diff --git a/src/lib/libc/string/strlcpy.c b/src/lib/libc/string/strlcpy.c
index 5fcf084a..f2828346 100644
--- a/src/lib/libc/string/strlcpy.c
+++ b/src/lib/libc/string/strlcpy.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: strlcpy.c,v 1.13 2015/08/31 02:53:57 guenther Exp $	*/
+/*	$OpenBSD: strlcpy.c,v 1.14 2016/10/14 18:19:04 dtucker Exp $	*/
 
 /*
  * Copyright (c) 1998, 2015 Todd C. Miller <Todd.Miller@courtesan.com>
@@ -18,6 +18,7 @@
 
 #include <sys/types.h>
 #include <string.h>
+#include <stdint.h>
 
 /*
  * Copy string src to buffer dst of size dsize.  At most dsize-1
@@ -46,6 +47,11 @@ strlcpy(char *dst, const char *src, size_t dsize)
 			;
 	}
 
-	return(src - osrc - 1);	/* count does not include NUL */
+	/*
+	 * Cast pointers to unsigned type before calculation, to avoid signed
+	 * overflow when the string ends where the MSB has changed.
+	 * Return value does not include NUL.
+	 */
+	return((uintptr_t)src - (uintptr_t)osrc - 1); 
 }
 DEF_WEAK(strlcpy);
diff --git a/src/lib/libc/string/strnlen.c b/src/lib/libc/string/strnlen.c
index 26e9743f..33c3b6e2 100644
--- a/src/lib/libc/string/strnlen.c
+++ b/src/lib/libc/string/strnlen.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: strnlen.c,v 1.6 2015/08/31 02:53:57 guenther Exp $	*/
+/*	$OpenBSD: strnlen.c,v 1.7 2016/10/14 18:19:04 dtucker Exp $	*/
 
 /*
  * Copyright (c) 2010 Todd C. Miller <Todd.Miller@courtesan.com>
@@ -19,6 +19,7 @@
 #include <sys/types.h>
 
 #include <string.h>
+#include <stdint.h>
 
 size_t
 strnlen(const char *str, size_t maxlen)
@@ -28,6 +29,10 @@ strnlen(const char *str, size_t maxlen)
 	for (cp = str; maxlen != 0 && *cp != '\0'; cp++, maxlen--)
 		;
 
-	return (size_t)(cp - str);
+	/*
+	 * Cast pointers to unsigned type before calculation, to avoid signed
+	 * overflow when the string ends where the MSB has changed.
+	 */
+	return (size_t)((uintptr_t)cp - (uintptr_t)str);
 }
 DEF_WEAK(strnlen);