From 135ffda8b84226a91c6062db69a61975b2f11cb6 Mon Sep 17 00:00:00 2001 From: "David S. Miller" Date: Mon, 2 Apr 2012 14:31:19 -0700 Subject: Tighten up vfprintf width, precision, and total length overflow handling. With help from Paul Eggert, Carlos O'Donell, and Roland McGrath. * stdio-common/printf-parse.h (read_int): Change return type to 'int', return -1 on INT_MAX overflow. * stdio-common/vfprintf.c (vfprintf): Validate width and precision against overflow of INT_MAX. Set errno to EOVERFLOW when 'done' overflows INT_MAX. Check for overflow of in-format-string precision values properly. Use EOVERFLOW rather than ERANGE throughout. Use SIZE_MAX not INT_MAX for integer overflow test. * stdio-common/printf-parsemb.c: If read_int signals an overflow, skip the construct in the format string but do not record anything. * stdio-common/bug22.c: Adjust to test both width/prevision INT_MAX overflow as well as total length INT_MAX overflow. Check explicitly for proper errno values. --- stdio-common/printf-parse.h | 23 +++++++++++++++++------ 1 file changed, 17 insertions(+), 6 deletions(-) (limited to 'stdio-common/printf-parse.h') diff --git a/stdio-common/printf-parse.h b/stdio-common/printf-parse.h index 72665dcec2..3aa0274249 100644 --- a/stdio-common/printf-parse.h +++ b/stdio-common/printf-parse.h @@ -68,16 +68,27 @@ union printf_arg #ifndef DONT_NEED_READ_INT /* Read a simple integer from a string and update the string pointer. It is assumed that the first character is a digit. */ -static unsigned int +static int read_int (const UCHAR_T * *pstr) { - unsigned int retval = **pstr - L_('0'); + int retval = **pstr - L_('0'); while (ISDIGIT (*++(*pstr))) - { - retval *= 10; - retval += **pstr - L_('0'); - } + if (retval >= 0) + { + if (INT_MAX / 10 < retval) + retval = -1; + else + { + int digit = **pstr - L_('0'); + + retval *= 10; + if (INT_MAX - digit < retval) + retval = -1; + else + retval += digit; + } + } return retval; } -- cgit v1.2.3