Index: head/bin/dd/position.c
===================================================================
--- head/bin/dd/position.c	(revision 319338)
+++ head/bin/dd/position.c	(revision 319339)
@@ -1,215 +1,215 @@
 /*-
  * Copyright (c) 1991, 1993, 1994
  *	The Regents of the University of California.  All rights reserved.
  *
  * This code is derived from software contributed to Berkeley by
  * Keith Muller of the University of California, San Diego and Lance
  * Visser of Convex Computer Corporation.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
  * 1. Redistributions of source code must retain the above copyright
  *    notice, this list of conditions and the following disclaimer.
  * 2. Redistributions in binary form must reproduce the above copyright
  *    notice, this list of conditions and the following disclaimer in the
  *    documentation and/or other materials provided with the distribution.
  * 3. Neither the name of the University nor the names of its contributors
  *    may be used to endorse or promote products derived from this software
  *    without specific prior written permission.
  *
  * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
  * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  * SUCH DAMAGE.
  */
 
 #ifndef lint
 #if 0
 static char sccsid[] = "@(#)position.c	8.3 (Berkeley) 4/2/94";
 #endif
 #endif /* not lint */
 #include <sys/cdefs.h>
 __FBSDID("$FreeBSD$");
 
 #include <sys/types.h>
 #include <sys/mtio.h>
 
 #include <err.h>
 #include <errno.h>
 #include <inttypes.h>
 #include <limits.h>
 #include <signal.h>
 #include <unistd.h>
 
 #include "dd.h"
 #include "extern.h"
 
 static off_t
 seek_offset(IO *io)
 {
 	off_t n;
 	size_t sz;
 
 	n = io->offset;
 	sz = io->dbsz;
 
 	_Static_assert(sizeof(io->offset) == sizeof(int64_t), "64-bit off_t");
 
 	/*
 	 * If the lseek offset will be negative, verify that this is a special
 	 * device file.  Some such files (e.g. /dev/kmem) permit "negative"
 	 * offsets.
 	 *
 	 * Bail out if the calculation of a file offset would overflow.
 	 */
-	if ((io->flags & ISCHR) == 0 && n > OFF_MAX / (ssize_t)sz)
+	if ((io->flags & ISCHR) == 0 && (n < 0 || n > OFF_MAX / (ssize_t)sz))
 		errx(1, "seek offsets cannot be larger than %jd",
 		    (intmax_t)OFF_MAX);
 	else if ((io->flags & ISCHR) != 0 && (uint64_t)n > UINT64_MAX / sz)
 		errx(1, "seek offsets cannot be larger than %ju",
 		    (uintmax_t)UINT64_MAX);
 
 	return ((off_t)( (uint64_t)n * sz ));
 }
 
 /*
  * Position input/output data streams before starting the copy.  Device type
  * dependent.  Seekable devices use lseek, and the rest position by reading.
  * Seeking past the end of file can cause null blocks to be written to the
  * output.
  */
 void
 pos_in(void)
 {
 	off_t cnt;
 	int warned;
 	ssize_t nr;
 	size_t bcnt;
 
 	/* If known to be seekable, try to seek on it. */
 	if (in.flags & ISSEEK) {
 		errno = 0;
 		if (lseek(in.fd, seek_offset(&in), SEEK_CUR) == -1 &&
 		    errno != 0)
 			err(1, "%s", in.name);
 		return;
 	}
 
 	/* Don't try to read a really weird amount (like negative). */
 	if (in.offset < 0)
 		errx(1, "%s: illegal offset", "iseek/skip");
 
 	/*
 	 * Read the data.  If a pipe, read until satisfy the number of bytes
 	 * being skipped.  No differentiation for reading complete and partial
 	 * blocks for other devices.
 	 */
 	for (bcnt = in.dbsz, cnt = in.offset, warned = 0; cnt;) {
 		if ((nr = read(in.fd, in.db, bcnt)) > 0) {
 			if (in.flags & ISPIPE) {
 				if (!(bcnt -= nr)) {
 					bcnt = in.dbsz;
 					--cnt;
 				}
 			} else
 				--cnt;
 			if (need_summary)
 				summary();
 			continue;
 		}
 
 		if (nr == 0) {
 			if (files_cnt > 1) {
 				--files_cnt;
 				continue;
 			}
 			errx(1, "skip reached end of input");
 		}
 
 		/*
 		 * Input error -- either EOF with no more files, or I/O error.
 		 * If noerror not set die.  POSIX requires that the warning
 		 * message be followed by an I/O display.
 		 */
 		if (ddflags & C_NOERROR) {
 			if (!warned) {
 				warn("%s", in.name);
 				warned = 1;
 				summary();
 			}
 			continue;
 		}
 		err(1, "%s", in.name);
 	}
 }
 
 void
 pos_out(void)
 {
 	struct mtop t_op;
 	off_t cnt;
 	ssize_t n;
 
 	/*
 	 * If not a tape, try seeking on the file.  Seeking on a pipe is
 	 * going to fail, but don't protect the user -- they shouldn't
 	 * have specified the seek operand.
 	 */
 	if (out.flags & (ISSEEK | ISPIPE)) {
 		errno = 0;
 		if (lseek(out.fd, seek_offset(&out), SEEK_CUR) == -1 &&
 		    errno != 0)
 			err(1, "%s", out.name);
 		return;
 	}
 
 	/* Don't try to read a really weird amount (like negative). */
 	if (out.offset < 0)
 		errx(1, "%s: illegal offset", "oseek/seek");
 
 	/* If no read access, try using mtio. */
 	if (out.flags & NOREAD) {
 		t_op.mt_op = MTFSR;
 		t_op.mt_count = out.offset;
 
 		if (ioctl(out.fd, MTIOCTOP, &t_op) == -1)
 			err(1, "%s", out.name);
 		return;
 	}
 
 	/* Read it. */
 	for (cnt = 0; cnt < out.offset; ++cnt) {
 		if ((n = read(out.fd, out.db, out.dbsz)) > 0)
 			continue;
 
 		if (n == -1)
 			err(1, "%s", out.name);
 
 		/*
 		 * If reach EOF, fill with NUL characters; first, back up over
 		 * the EOF mark.  Note, cnt has not yet been incremented, so
 		 * the EOF read does not count as a seek'd block.
 		 */
 		t_op.mt_op = MTBSR;
 		t_op.mt_count = 1;
 		if (ioctl(out.fd, MTIOCTOP, &t_op) == -1)
 			err(1, "%s", out.name);
 
 		while (cnt++ < out.offset) {
 			n = write(out.fd, out.db, out.dbsz);
 			if (n == -1)
 				err(1, "%s", out.name);
 			if ((size_t)n != out.dbsz)
 				errx(1, "%s: write failure", out.name);
 		}
 		break;
 	}
 }
Index: head/bin/dd/tests/Makefile
===================================================================
--- head/bin/dd/tests/Makefile	(revision 319338)
+++ head/bin/dd/tests/Makefile	(revision 319339)
@@ -1,7 +1,12 @@
 # $FreeBSD$
 
+.include <src.opts.mk>
+
+.PATH: ${.CURDIR}/..
+
+ATF_TESTS_SH=	dd2_test
 NETBSD_ATF_TESTS_SH=	dd_test
 
 .include <netbsd-tests.test.mk>
 
 .include <bsd.test.mk>
Index: head/bin/dd/tests/dd2_test.sh
===================================================================
--- head/bin/dd/tests/dd2_test.sh	(nonexistent)
+++ head/bin/dd/tests/dd2_test.sh	(revision 319339)
@@ -0,0 +1,50 @@
+#
+# Copyright (c) 2017 Spectra Logic Corporation
+# All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions
+# are met:
+# 1. Redistributions of source code must retain the above copyright
+#    notice, this list of conditions and the following disclaimer.
+# 2. Redistributions in binary form must reproduce the above copyright
+#    notice, this list of conditions and the following disclaimer in the
+#    documentation and/or other materials provided with the distribution.
+#
+# THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
+# ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
+# TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+# PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+# POSSIBILITY OF SUCH DAMAGE.
+#
+# $FreeBSD$
+
+
+atf_test_case seek_overflow
+seek_overflow_head() {
+	atf_set "descr" "dd(1) should reject too-large seek values"
+}
+seek_overflow_body() {
+	touch f.in
+	# Positive tests
+	seek=`echo "2^63 / 4096 - 1" | bc`
+	atf_check -s exit:0 -e ignore dd if=f.in of=f.out bs=4096 seek=$seek
+
+	# Negative tests
+	seek=`echo "2^63 / 4096" | bc`
+	atf_check -s not-exit:0 -e match:"seek offsets cannot be larger than" \
+		dd if=f.in of=f.out bs=4096 seek=$seek
+	atf_check -s not-exit:0 -e match:"seek offsets cannot be larger than" \
+		dd if=f.in of=f.out bs=4096 seek=-1
+}
+
+atf_init_test_cases()
+{
+        atf_add_test_case seek_overflow
+}

Property changes on: head/bin/dd/tests/dd2_test.sh
___________________________________________________________________
Added: svn:eol-style
## -0,0 +1 ##
+native
\ No newline at end of property
Added: svn:executable
## -0,0 +1 ##
+*
\ No newline at end of property
Added: svn:keywords
## -0,0 +1 ##
+FreeBSD=%H
\ No newline at end of property
Added: svn:mime-type
## -0,0 +1 ##
+text/plain
\ No newline at end of property