bin/39326: patch fails to check writes to tempory file, silently corrupting output

[gdt%ir.bbn.com@localhost]

>Number:         39326
>Category:       bin
>Synopsis:       patch fails to check writes to tempory file, silently 
>corrupting output
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    bin-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Sat Aug 09 13:00:00 +0000 2008
>Originator:     Greg Troxel
>Release:        NetBSD 4.0_STABLE
>Organization:
    Greg Troxel <gdt%ir.bbn.com@localhost>
>Environment:
        
        
System: NetBSD fnord.ir.bbn.com 4.0_STABLE NetBSD 4.0_STABLE (GENERIC) #30: Mon 
Feb 18 11:05:00 EST 2008 
gdt%fnord.ir.bbn.com@localhost:/n0/obj/gdt-4/i386/sys/arch/i386/compile/GENERIC 
i386
Architecture: i386
Machine: i386
>Description:
patch writes the output to /tmp and then copies it back.  But it fails
to check writes, and if /tmp is unreasonably small (~512K in my case),
and the file being patched large (640K, configure from libtool)

>How-To-Repeat:

(Done on amd64, seems quite MI)
mount /tmp as tmpfs with size 500000.
Try to build /usr/pkgsrc/devel/libtool-base, and observe a bizarre
shell error in configure.
Isolate patch-ab and configure, and try to run patch by hand.  Note
that the output is truncated.
Run ktrace and see write errors:

    98      1 patch    CALL  write(4,0x7f7ffd813000,0x1000)
    98      1 patch    RET   write -1 errno 28 No space left on device
    98      1 patch    CALL  write(2,0x7f7fffffcfd0,0x1b)
    98      1 patch    GIO   fd 2 wrote 27 bytes
       "Hunk #44 succeeded at 14754"
    98      1 patch    RET   write 27/0x1b
    98      1 patch    CALL  write(2,0x7f7fffffcfd0,2)
    98      1 patch    GIO   fd 2 wrote 2 bytes
       ".\n"
    98      1 patch    RET   write 2

and see it keep going.

>Fix:

See src/usr.bin/patch/patch.c:apply_hunk(), and note that fputs is
used without checking the return value.

>Unformatted: