On 2024/08/29 11:00:14 -0600, "Theo de Raadt" <deraadt@openbsd.org> wrote:
> The bounds are pretty high, but it looks reasonable.

my other idea was to use 10000, would it be preferred?  It's difficult
to come up with tight bounds here, nor desiderable, but yeah, INT_MAX
is way too much.  10k should be still way, wayyy more than needed but
still far away from INT_MAX to avoid overflows.


diff 5a1af3cffe24ad9d9a983a89b5a57b51a5cc18b3 debbbbdb66ccdd01868b59f04122ff2e5eb72798
commit - 5a1af3cffe24ad9d9a983a89b5a57b51a5cc18b3
commit + debbbbdb66ccdd01868b59f04122ff2e5eb72798
blob - 96da0572381e10ed35a0196c6425fc0a5ec4f0c6
blob + d39a3e6113a9b4d0269f3d9a9f413bf22da77a17
--- usr.bin/patch/patch.c
+++ usr.bin/patch/patch.c
@@ -542,6 +542,7 @@ get_some_switches(void)
 		{NULL,			0,			0,	0}
 	};
 	int ch;
+	const char *errstr;
 
 	rejname[0] = '\0';
 	Argc_last = Argc;
@@ -598,7 +599,10 @@ get_some_switches(void)
 			force = true;
 			break;
 		case 'F':
-			maxfuzz = atoi(optarg);
+			maxfuzz = strtonum(optarg, 0, 10000, &errstr);
+			if (errstr != NULL)
+				fatal("maximum fuzz is %s: %s\n",
+				    errstr, optarg);
 			break;
 		case 'i':
 			if (++filec == MAXFILEC)
@@ -618,7 +622,10 @@ get_some_switches(void)
 			outname = xstrdup(optarg);
 			break;
 		case 'p':
-			strippath = atoi(optarg);
+			strippath = strtonum(optarg, 0, 10000, &errstr);
+			if (errstr != NULL)
+				fatal("strip count is %s: %s\n",
+				    errstr, optarg);
 			break;
 		case 'r':
 			if (strlcpy(rejname, optarg,
@@ -647,7 +654,10 @@ get_some_switches(void)
 			break;
 #ifdef DEBUGGING
 		case 'x':
-			debug = atoi(optarg);
+			debug = strtonum(optarg, 0, 10000, &errstr);
+			if (errstr != NULL)
+				fatal("debug number is %s: %s\n",
+				    errstr, optarg);
 			break;
 #endif
 		default: