[Midnightbsd-cvs] src: strfmon.c: Found an additional integer overflow.
laffer1 at midnightbsd.org
laffer1 at midnightbsd.org
Thu Apr 3 13:47:01 EDT 2008
Log Message:
-----------
Found an additional integer overflow.
This version of the patch comes from NetBSD.
Also limits the range of getnumber to 0x00ffffff to ensure that adding two does not cause an overflow.
Modified Files:
--------------
src/lib/libc/stdlib:
strfmon.c (r1.3 -> r1.4)
-------------- next part --------------
Index: strfmon.c
===================================================================
RCS file: /home/cvs/src/lib/libc/stdlib/strfmon.c,v
retrieving revision 1.3
retrieving revision 1.4
diff -L lib/libc/stdlib/strfmon.c -L lib/libc/stdlib/strfmon.c -u -r1.3 -r1.4
--- lib/libc/stdlib/strfmon.c
+++ lib/libc/stdlib/strfmon.c
@@ -1,4 +1,4 @@
-/* strfmon.c,v 1.4 2006/03/19 01:50:49 christos Exp */
+/* $NetBSD: strfmon.c,v 1.6 2008/03/27 21:50:30 christos Exp $ */
* Copyright (c) 2001 Alexey Zelkin <phantom at FreeBSD.org>
* All rights reserved.
*
@@ -38,6 +38,7 @@
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
+#include <stddef.h>
/* internal flags */
#define NEED_GROUPING 0x01 /* print digits grouped (default) */
@@ -63,15 +64,12 @@
} while (0)
#define GET_NUMBER(VAR) do { \
- int ovar; \
- ovar = VAR = 0; \
+ VAR = 0; \
while (isdigit((unsigned char)*fmt)) { \
VAR *= 10; \
VAR += *fmt - '0'; \
- if (ovar > VAR) \
+ if (VAR > 0x00ffffff) \
goto e2big_error; \
- else \
- ovar = VAR; \
fmt++; \
} \
} while (0)
@@ -188,11 +186,13 @@
/* field Width */
if (isdigit((unsigned char)*fmt)) {
+ ptrdiff_t d = dst - s;
GET_NUMBER(width);
/* Do we have enough space to put number with
* required width ?
*/
- if (dst + width >= s + maxsize)
+
+ if (d + width >= maxsize)
goto e2big_error;
}
More information about the Midnightbsd-cvs
mailing list