From accac7cd8e7f4b989bd8b29412e494ea944fc219 Mon Sep 17 00:00:00 2001
From: Przemyslaw Czerpak <druzus@priv.onet.pl>
Date: Tue, 3 Jan 2012 14:41:08 +0000
Subject: [PATCH] 2012-01-03 15:40 UTC+0100 Przemyslaw Czerpak
 (druzus/at/poczta.onet.pl)   * harbour/src/rtl/filebuf.c     ! fixed next
 three integer overflows exploited by HB64 locking mode.       BTW probably
 I'll move the lock range to not operate on last positive       offset because
 such overflow problems can be also exploited in low       level OS or network
 transport layer code - it happened in the past.       I'll do that when we
 confirm that current Harbour implementation       is correct.

---
 harbour/ChangeLog         | 9 +++++++++
 harbour/src/rtl/filebuf.c | 6 +++---
 2 files changed, 12 insertions(+), 3 deletions(-)

diff --git a/harbour/ChangeLog b/harbour/ChangeLog
index df968b60c3..25b126051e 100644
--- a/harbour/ChangeLog
+++ b/harbour/ChangeLog
@@ -16,6 +16,15 @@
    The license applies to all entries newer than 2009-04-28.
 */
 
+2012-01-03 15:40 UTC+0100 Przemyslaw Czerpak (druzus/at/poczta.onet.pl)
+  * harbour/src/rtl/filebuf.c
+    ! fixed next three integer overflows exploited by HB64 locking mode.
+      BTW probably I'll move the lock range to not operate on last positive
+      offset because such overflow problems can be also exploited in low
+      level OS or network transport layer code - it happened in the past.
+      I'll do that when we confirm that current Harbour implementation
+      is correct.
+
 2012-01-03 10:39 UTC+0100 Przemyslaw Czerpak (druzus/at/poczta.onet.pl)
   * harbour/src/rtl/filebuf.c
     ! fixed integer overflow in code scanning the lock pool.
diff --git a/harbour/src/rtl/filebuf.c b/harbour/src/rtl/filebuf.c
index 614f519650..d46ddd4813 100644
--- a/harbour/src/rtl/filebuf.c
+++ b/harbour/src/rtl/filebuf.c
@@ -233,7 +233,7 @@ static HB_BOOL hb_fileSetLock( PHB_FILE pFile, HB_BOOL * pfLockFS,
    if( uiPos < pFile->uiLocks )
    {
       PHB_FLOCK pLock = &pFile->pLocks[ uiPos ];
-      if( nStart + nLen > pLock->start )
+      if( nStart + nLen - 1 >= pLock->start )
          return HB_FALSE;
       if( nStart + nLen == pLock->start )
          fRJoin = HB_TRUE;
@@ -278,7 +278,7 @@ static HB_BOOL hb_fileUnlock( PHB_FILE pFile, HB_BOOL * pfLockFS,
    {
       PHB_FLOCK pLock = &pFile->pLocks[ uiPos ];
       if( nStart >= pLock->start &&
-          nStart + nLen <= pLock->start + pLock->len )
+          nStart + nLen - 1 <= pLock->start + pLock->len - 1 )
       {
          if( pfLockFS && pFile->shared )
             * pfLockFS = HB_TRUE;
@@ -316,7 +316,7 @@ static HB_BOOL hb_fileTestLock( PHB_FILE pFile,
    if( uiPos < pFile->uiLocks )
    {
       PHB_FLOCK pLock = &pFile->pLocks[ uiPos ];
-      if( nStart + nLen > pLock->start )
+      if( nStart + nLen - 1 >= pLock->start )
          return HB_TRUE;
    }