diff --git a/lib/libc/stdio/fdopen.c b/lib/libc/stdio/fdopen.c index c1998713c6c..02378edcdce 100644 --- a/lib/libc/stdio/fdopen.c +++ b/lib/libc/stdio/fdopen.c @@ -57,6 +57,18 @@ fdopen(fd, mode) if (nofile == 0) nofile = getdtablesize(); + /* + * File descriptors are a full int, but _file is only a short. + * If we get a valid file descriptor that is greater than + * SHRT_MAX, then the fd will get sign-extended into an + * invalid file descriptor. Handle this case by failing the + * open. + */ + if (fd > SHRT_MAX) { + errno = EMFILE; + return (NULL); + } + if ((flags = __sflags(mode, &oflags)) == 0) return (NULL); diff --git a/lib/libc/stdio/fopen.c b/lib/libc/stdio/fopen.c index 9cedcda6a4d..a6c0028dbd9 100644 --- a/lib/libc/stdio/fopen.c +++ b/lib/libc/stdio/fopen.c @@ -40,6 +40,7 @@ __FBSDID("$FreeBSD$"); #include #include #include +#include #include #include #include "un-namespace.h" @@ -63,6 +64,18 @@ fopen(file, mode) fp->_flags = 0; /* release */ return (NULL); } + /* + * File descriptors are a full int, but _file is only a short. + * If we get a valid file descriptor that is greater than + * SHRT_MAX, then the fd will get sign-extended into an + * invalid file descriptor. Handle this case by failing the + * open. + */ + if (f > SHRT_MAX) { + _close(f); + errno = EMFILE; + return (NULL); + } fp->_file = f; fp->_flags = flags; fp->_cookie = fp; diff --git a/lib/libc/stdio/freopen.c b/lib/libc/stdio/freopen.c index b5bc8840d51..a5663866c29 100644 --- a/lib/libc/stdio/freopen.c +++ b/lib/libc/stdio/freopen.c @@ -203,6 +203,20 @@ finish: } } + /* + * File descriptors are a full int, but _file is only a short. + * If we get a valid file descriptor that is greater than + * SHRT_MAX, then the fd will get sign-extended into an + * invalid file descriptor. Handle this case by failing the + * open. + */ + if (f > SHRT_MAX) { + fp->_flags = 0; /* set it free */ + FUNLOCKFILE(fp); + errno = EMFILE; + return (NULL); + } + fp->_flags = flags; fp->_file = f; fp->_cookie = fp;