(sys_close): If FD is outside [0..MAXDESC) limits, pass it directly to _close.

(sys_dup): Protect against new_fd larger than fd_info[] can handle.
(sys_read): If FD is outside [0..MAXDESC) limits, pass it directly to _read.
(sys_write):  If FD is outside [0..MAXDESC) limits, pass it directly to _write.

diff --git a/src/ChangeLog b/src/ChangeLog
index b7f76bb6365193a4abf72469d53784215cee5e58..51b607477c6e503784c2d8a14b4a5470e2932104 100644 (file)
--- a/src/ChangeLog
+++ b/src/ChangeLog
@@ -1,5 +1,13 @@
 2006-01-20  Eli Zaretskii  <eliz@gnu.org>
 
+       * w32.c (sys_close): If FD is outside [0..MAXDESC) limits, pass it
+       directly to _close.
+       (sys_dup): Protect against new_fd larger than fd_info[] can handle.
+       (sys_read): If FD is outside [0..MAXDESC) limits, pass it directly
+       to _read.
+       (sys_write):  If FD is outside [0..MAXDESC) limits, pass it
+       directly to _write.
+
        * .gdbinit: Don't dereference Vsystem_type's Lisp_Symbol pointer
        if it is NULL.
 

diff --git a/src/w32.c b/src/w32.c
index 9a51233527d46564798601c5aeb29e63bcd01fa9..9860a6cc3532ba7a4f785767c1b8bee69c28a286 100644 (file)
--- a/src/w32.c
+++ b/src/w32.c
@@ -3426,13 +3426,13 @@ sys_close (int fd)
 {
   int rc;
 
-  if (fd < 0 || fd >= MAXDESC)
+  if (fd < 0)
     {
       errno = EBADF;
       return -1;
     }
 
-  if (fd_info[fd].cp)
+  if (fd < MAXDESC && fd_info[fd].cp)
     {
       child_process * cp = fd_info[fd].cp;
 
@@ -3474,7 +3474,7 @@ sys_close (int fd)
      because socket handles are fully fledged kernel handles. */
   rc = _close (fd);
 
-  if (rc == 0)
+  if (rc == 0 && fd < MAXDESC)
     fd_info[fd].flags = 0;
 
   return rc;
@@ -3486,7 +3486,7 @@ sys_dup (int fd)
   int new_fd;
 
   new_fd = _dup (fd);
-  if (new_fd >= 0)
+  if (new_fd >= 0 && new_fd < MAXDESC)
     {
       /* duplicate our internal info as well */
       fd_info[new_fd] = fd_info[fd];
@@ -3641,13 +3641,13 @@ sys_read (int fd, char * buffer, unsigned int count)
   DWORD waiting;
   char * orig_buffer = buffer;
 
-  if (fd < 0 || fd >= MAXDESC)
+  if (fd < 0)
     {
       errno = EBADF;
       return -1;
     }
 
-  if (fd_info[fd].flags & (FILE_PIPE | FILE_SOCKET))
+  if (fd < MAXDESC && fd_info[fd].flags & (FILE_PIPE | FILE_SOCKET))
     {
       child_process *cp = fd_info[fd].cp;
 
@@ -3785,13 +3785,13 @@ sys_write (int fd, const void * buffer, unsigned int count)
 {
   int nchars;
 
-  if (fd < 0 || fd >= MAXDESC)
+  if (fd < 0)
     {
       errno = EBADF;
       return -1;
     }
 
-  if (fd_info[fd].flags & (FILE_PIPE | FILE_SOCKET))
+  if (fd < MAXDESC && fd_info[fd].flags & (FILE_PIPE | FILE_SOCKET))
     {
       if ((fd_info[fd].flags & FILE_WRITE) == 0)
        {
@@ -3833,7 +3833,7 @@ sys_write (int fd, const void * buffer, unsigned int count)
     }
 
 #ifdef HAVE_SOCKETS
-  if (fd_info[fd].flags & FILE_SOCKET)
+  if (fd < MAXDESC && fd_info[fd].flags & FILE_SOCKET)
     {
       unsigned long nblock = 0;
       if (winsock_lib == NULL) abort ();