1/*-
2 * SPDX-License-Identifier: BSD-2-Clause-FreeBSD
3 *
4 * Copyright 2003-2005 Colin Percival
5 * All rights reserved
6 *
7 * Redistribution and use in source and binary forms, with or without
8 * modification, are permitted providing that the following conditions
9 * are met:
10 * 1. Redistributions of source code must retain the above copyright
11 *    notice, this list of conditions and the following disclaimer.
12 * 2. Redistributions in binary form must reproduce the above copyright
13 *    notice, this list of conditions and the following disclaimer in the
14 *    documentation and/or other materials provided with the distribution.
15 *
16 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
17 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
18 * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
19 * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
20 * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
21 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
22 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
23 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
24 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
25 * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
26 * POSSIBILITY OF SUCH DAMAGE.
27 */
28
29#include <sys/cdefs.h>
30__FBSDID("$FreeBSD$");
31
32#ifndef WITHOUT_CAPSICUM
33#include <sys/capsicum.h>
34#endif
35
36#include <bzlib.h>
37#include <err.h>
38#include <fcntl.h>
39#include <libgen.h>
40#include <limits.h>
41#include <stdint.h>
42#include <stdio.h>
43#include <stdlib.h>
44#include <string.h>
45#include <unistd.h>
46
47#ifndef O_BINARY
48#define O_BINARY 0
49#endif
50#define HEADER_SIZE 32
51
52static char *newfile;
53static int dirfd = -1;
54
55static void
56exit_cleanup(void)
57{
58
59	if (dirfd != -1 && newfile != NULL)
60		if (unlinkat(dirfd, newfile, 0))
61			warn("unlinkat");
62}
63
64static inline off_t
65add_off_t(off_t a, off_t b)
66{
67	off_t result;
68
69#if __GNUC__ >= 5 || \
70    (defined(__has_builtin) && __has_builtin(__builtin_add_overflow))
71	if (__builtin_add_overflow(a, b, &result))
72		errx(1, "Corrupt patch");
73#else
74	if ((b > 0 && a > OFF_MAX - b) || (b < 0 && a < OFF_MIN - b))
75		errx(1, "Corrupt patch");
76	result = a + b;
77#endif
78	return result;
79}
80
81static off_t offtin(u_char *buf)
82{
83	off_t y;
84
85	y = buf[7] & 0x7F;
86	y = y * 256; y += buf[6];
87	y = y * 256; y += buf[5];
88	y = y * 256; y += buf[4];
89	y = y * 256; y += buf[3];
90	y = y * 256; y += buf[2];
91	y = y * 256; y += buf[1];
92	y = y * 256; y += buf[0];
93
94	if (buf[7] & 0x80)
95		y = -y;
96
97	return (y);
98}
99
100static void
101usage(void)
102{
103
104	fprintf(stderr, "usage: bspatch oldfile newfile patchfile\n");
105	exit(1);
106}
107
108int main(int argc, char *argv[])
109{
110	FILE *f, *cpf, *dpf, *epf;
111	BZFILE *cpfbz2, *dpfbz2, *epfbz2;
112	char *directory, *namebuf;
113	int cbz2err, dbz2err, ebz2err;
114	int newfd, oldfd;
115	off_t oldsize, newsize;
116	off_t bzctrllen, bzdatalen;
117	u_char header[HEADER_SIZE], buf[8];
118	u_char *old, *new;
119	off_t oldpos, newpos;
120	off_t ctrl[3];
121	off_t i, lenread, offset;
122#ifndef WITHOUT_CAPSICUM
123	cap_rights_t rights_dir, rights_ro, rights_wr;
124#endif
125
126	if (argc != 4)
127		usage();
128
129	/* Open patch file */
130	if ((f = fopen(argv[3], "rb")) == NULL)
131		err(1, "fopen(%s)", argv[3]);
132	/* Open patch file for control block */
133	if ((cpf = fopen(argv[3], "rb")) == NULL)
134		err(1, "fopen(%s)", argv[3]);
135	/* open patch file for diff block */
136	if ((dpf = fopen(argv[3], "rb")) == NULL)
137		err(1, "fopen(%s)", argv[3]);
138	/* open patch file for extra block */
139	if ((epf = fopen(argv[3], "rb")) == NULL)
140		err(1, "fopen(%s)", argv[3]);
141	/* open oldfile */
142	if ((oldfd = open(argv[1], O_RDONLY | O_BINARY, 0)) < 0)
143		err(1, "open(%s)", argv[1]);
144	/* open directory where we'll write newfile */
145	if ((namebuf = strdup(argv[2])) == NULL ||
146	    (directory = dirname(namebuf)) == NULL ||
147	    (dirfd = open(directory, O_DIRECTORY)) < 0)
148		err(1, "open %s", argv[2]);
149	free(namebuf);
150	if ((newfile = basename(argv[2])) == NULL)
151		err(1, "basename");
152	/* open newfile */
153	if ((newfd = openat(dirfd, newfile,
154	    O_CREAT | O_TRUNC | O_WRONLY | O_BINARY, 0666)) < 0)
155		err(1, "open(%s)", argv[2]);
156	atexit(exit_cleanup);
157
158#ifndef WITHOUT_CAPSICUM
159	if (cap_enter() < 0)
160		err(1, "failed to enter security sandbox");
161
162	cap_rights_init(&rights_ro, CAP_READ, CAP_FSTAT, CAP_SEEK);
163	cap_rights_init(&rights_wr, CAP_WRITE);
164	cap_rights_init(&rights_dir, CAP_UNLINKAT);
165
166	if (cap_rights_limit(fileno(f), &rights_ro) < 0 ||
167	    cap_rights_limit(fileno(cpf), &rights_ro) < 0 ||
168	    cap_rights_limit(fileno(dpf), &rights_ro) < 0 ||
169	    cap_rights_limit(fileno(epf), &rights_ro) < 0 ||
170	    cap_rights_limit(oldfd, &rights_ro) < 0 ||
171	    cap_rights_limit(newfd, &rights_wr) < 0 ||
172	    cap_rights_limit(dirfd, &rights_dir) < 0)
173		err(1, "cap_rights_limit() failed, could not restrict"
174		    " capabilities");
175#endif
176
177	/*
178	File format:
179		0	8	"BSDIFF40"
180		8	8	X
181		16	8	Y
182		24	8	sizeof(newfile)
183		32	X	bzip2(control block)
184		32+X	Y	bzip2(diff block)
185		32+X+Y	???	bzip2(extra block)
186	with control block a set of triples (x,y,z) meaning "add x bytes
187	from oldfile to x bytes from the diff block; copy y bytes from the
188	extra block; seek forwards in oldfile by z bytes".
189	*/
190
191	/* Read header */
192	if (fread(header, 1, HEADER_SIZE, f) < HEADER_SIZE) {
193		if (feof(f))
194			errx(1, "Corrupt patch");
195		err(1, "fread(%s)", argv[3]);
196	}
197
198	/* Check for appropriate magic */
199	if (memcmp(header, "BSDIFF40", 8) != 0)
200		errx(1, "Corrupt patch");
201
202	/* Read lengths from header */
203	bzctrllen = offtin(header + 8);
204	bzdatalen = offtin(header + 16);
205	newsize = offtin(header + 24);
206	if (bzctrllen < 0 || bzctrllen > OFF_MAX - HEADER_SIZE ||
207	    bzdatalen < 0 || bzctrllen + HEADER_SIZE > OFF_MAX - bzdatalen ||
208	    newsize < 0 || newsize > SSIZE_MAX)
209		errx(1, "Corrupt patch");
210
211	/* Close patch file and re-open it via libbzip2 at the right places */
212	if (fclose(f))
213		err(1, "fclose(%s)", argv[3]);
214	offset = HEADER_SIZE;
215	if (fseeko(cpf, offset, SEEK_SET))
216		err(1, "fseeko(%s, %jd)", argv[3], (intmax_t)offset);
217	if ((cpfbz2 = BZ2_bzReadOpen(&cbz2err, cpf, 0, 0, NULL, 0)) == NULL)
218		errx(1, "BZ2_bzReadOpen, bz2err = %d", cbz2err);
219	offset = add_off_t(offset, bzctrllen);
220	if (fseeko(dpf, offset, SEEK_SET))
221		err(1, "fseeko(%s, %jd)", argv[3], (intmax_t)offset);
222	if ((dpfbz2 = BZ2_bzReadOpen(&dbz2err, dpf, 0, 0, NULL, 0)) == NULL)
223		errx(1, "BZ2_bzReadOpen, bz2err = %d", dbz2err);
224	offset = add_off_t(offset, bzdatalen);
225	if (fseeko(epf, offset, SEEK_SET))
226		err(1, "fseeko(%s, %jd)", argv[3], (intmax_t)offset);
227	if ((epfbz2 = BZ2_bzReadOpen(&ebz2err, epf, 0, 0, NULL, 0)) == NULL)
228		errx(1, "BZ2_bzReadOpen, bz2err = %d", ebz2err);
229
230	if ((oldsize = lseek(oldfd, 0, SEEK_END)) == -1 ||
231	    oldsize > SSIZE_MAX ||
232	    (old = malloc(oldsize)) == NULL ||
233	    lseek(oldfd, 0, SEEK_SET) != 0 ||
234	    read(oldfd, old, oldsize) != oldsize ||
235	    close(oldfd) == -1)
236		err(1, "%s", argv[1]);
237	if ((new = malloc(newsize)) == NULL)
238		err(1, NULL);
239
240	oldpos = 0;
241	newpos = 0;
242	while (newpos < newsize) {
243		/* Read control data */
244		for (i = 0; i <= 2; i++) {
245			lenread = BZ2_bzRead(&cbz2err, cpfbz2, buf, 8);
246			if ((lenread < 8) || ((cbz2err != BZ_OK) &&
247			    (cbz2err != BZ_STREAM_END)))
248				errx(1, "Corrupt patch");
249			ctrl[i] = offtin(buf);
250		}
251
252		/* Sanity-check */
253		if (ctrl[0] < 0 || ctrl[0] > INT_MAX ||
254		    ctrl[1] < 0 || ctrl[1] > INT_MAX)
255			errx(1, "Corrupt patch");
256
257		/* Sanity-check */
258		if (add_off_t(newpos, ctrl[0]) > newsize)
259			errx(1, "Corrupt patch");
260
261		/* Read diff string */
262		lenread = BZ2_bzRead(&dbz2err, dpfbz2, new + newpos, ctrl[0]);
263		if ((lenread < ctrl[0]) ||
264		    ((dbz2err != BZ_OK) && (dbz2err != BZ_STREAM_END)))
265			errx(1, "Corrupt patch");
266
267		/* Add old data to diff string */
268		for (i = 0; i < ctrl[0]; i++)
269			if (add_off_t(oldpos, i) < oldsize)
270				new[newpos + i] += old[oldpos + i];
271
272		/* Adjust pointers */
273		newpos = add_off_t(newpos, ctrl[0]);
274		oldpos = add_off_t(oldpos, ctrl[0]);
275
276		/* Sanity-check */
277		if (add_off_t(newpos, ctrl[1]) > newsize)
278			errx(1, "Corrupt patch");
279
280		/* Read extra string */
281		lenread = BZ2_bzRead(&ebz2err, epfbz2, new + newpos, ctrl[1]);
282		if ((lenread < ctrl[1]) ||
283		    ((ebz2err != BZ_OK) && (ebz2err != BZ_STREAM_END)))
284			errx(1, "Corrupt patch");
285
286		/* Adjust pointers */
287		newpos = add_off_t(newpos, ctrl[1]);
288		oldpos = add_off_t(oldpos, ctrl[2]);
289	}
290
291	/* Clean up the bzip2 reads */
292	BZ2_bzReadClose(&cbz2err, cpfbz2);
293	BZ2_bzReadClose(&dbz2err, dpfbz2);
294	BZ2_bzReadClose(&ebz2err, epfbz2);
295	if (fclose(cpf) || fclose(dpf) || fclose(epf))
296		err(1, "fclose(%s)", argv[3]);
297
298	/* Write the new file */
299	if (write(newfd, new, newsize) != newsize || close(newfd) == -1)
300		err(1, "%s", argv[2]);
301	/* Disable atexit cleanup */
302	newfile = NULL;
303
304	free(new);
305	free(old);
306
307	return (0);
308}
309