Check for failures when reading edquota input

quota-4.03-quotaops-check-return-code-of-fgets-calls.patch

@@ -0,0 +1,73 @@
+From a431ffcc27b364b7cc2b280ad33873e0157e7e99 Mon Sep 17 00:00:00 2001
+From: "Dmitry V. Levin" <ldv@altlinux.org>
+Date: Thu, 18 May 2017 12:29:50 +0300
+Subject: [PATCH] quotaops: check return code of fgets calls
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+fgets can return NULL anytime, do not ignore it.
+
+Signed-off-by: Dmitry V. Levin <ldv@altlinux.org>
+Signed-off-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Petr Písař <ppisar@redhat.com>
+---
+ quotaops.c | 28 ++++++++++++++++++++--------
+ 1 file changed, 20 insertions(+), 8 deletions(-)
+
+diff --git a/quotaops.c b/quotaops.c
+index 5e6026e..6f245b7 100644
+--- a/quotaops.c
++++ b/quotaops.c
+@@ -330,8 +330,12 @@ int readprivs(struct dquot *qlist, int infd)
+ 	/*
+ 	 * Discard title lines, then read lines to process.
+ 	 */
+-	fgets(line, sizeof(line), fd);
+-	fgets(line, sizeof(line), fd);
++	if (!fgets(line, sizeof(line), fd) ||
++	    !fgets(line, sizeof(line), fd)) {
++		errstr(_("Bad format: two title lines assumed\n"));
++		fclose(fd);
++		return -1;
++	}
+ 
+ 	while (fgets(line, sizeof(line), fd)) {
+ 		cnt = sscanf(line, "%s %s %s %s %s %s %s",
+@@ -481,9 +485,13 @@ int readindividualtimes(struct dquot *qlist, int infd)
+ 	/*
+ 	 * Discard title lines, then read lines to process.
+ 	 */
+-	fgets(line, sizeof(line), fd);
+-	fgets(line, sizeof(line), fd);
+-	fgets(line, sizeof(line), fd);
++	if (!fgets(line, sizeof(line), fd) ||
++	    !fgets(line, sizeof(line), fd) ||
++	    !fgets(line, sizeof(line), fd)) {
++		errstr(_("Bad format: three title lines assumed\n"));
++		fclose(fd);
++		return -1;
++	}
+ 
+ 	time(&now);
+ 	while (fgets(line, sizeof(line), fd)) {
+@@ -583,9 +591,13 @@ int readtimes(struct quota_handle **handles, int infd)
+ 	/*
+ 	 * Discard three title lines, then read lines to process.
+ 	 */
+-	fgets(line, sizeof(line), fd);
+-	fgets(line, sizeof(line), fd);
+-	fgets(line, sizeof(line), fd);
++	if (!fgets(line, sizeof(line), fd) ||
++	    !fgets(line, sizeof(line), fd) ||
++	    !fgets(line, sizeof(line), fd)) {
++		errstr(_("Bad format: three title lines assumed\n"));
++		fclose(fd);
++		return -1;
++	}
+ 
+ 	while (fgets(line, sizeof(line), fd)) {
+ 		cnt = sscanf(line, "%s %d %s %d %s", fsp, &btime, bunits, &itime, iunits);
+-- 
+2.9.4
+

quota.spec

@@ -71,6 +71,8 @@ Patch13:    quota-4.03-quotacheck-fix-ask_yn-UB-when-fgets-returns-NULL.patch
 # Check for setuid and setgid calls failure in edquota tool,
 # in upstream after 4.03
 Patch14:    quota-4.03-quotaops-check-setgid-setuid-return-code.patch
+# Check for failures when reading edquota input, in upstream after 4.03
+Patch15:    quota-4.03-quotaops-check-return-code-of-fgets-calls.patch
 BuildRequires: autoconf
 BuildRequires: automake
 BuildRequires: bash
@@ -193,6 +195,7 @@ Linux/UNIX environment.
 %patch12 -p1
 %patch13 -p1
 %patch14 -p1
+%patch15 -p1
 # Unpack forgotten LDAP scripts
 tar -xzkf %{SOURCE5}
 # Regenerate build scripts, also because of Respect-enviroment-CFLAGS.patch
@@ -313,6 +316,7 @@ make check
 - Fix a race between checking for and opening a directory to be scanned
 - Fix an undefined behavior on parsing yes-no answer
 - Check for setuid and setgid calls failure in edquota tool
+- Check for failures when reading edquota input
 
 * Sat Feb 11 2017 Fedora Release Engineering <releng@fedoraproject.org> - 1:4.03-8
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild