summaryrefslogtreecommitdiffstats
path: root/lib/libc/stdio
diff options
context:
space:
mode:
authorache <ache@FreeBSD.org>1997-12-25 00:32:17 +0000
committerache <ache@FreeBSD.org>1997-12-25 00:32:17 +0000
commit5d5e8db79051b29b70bc0cc3e44bc0edc5d17917 (patch)
tree329baa02d778b3b1974324954c45ef7f868d777a /lib/libc/stdio
parente4ef30b29d1d3250c08542d07819f104cf79cce0 (diff)
downloadFreeBSD-src-5d5e8db79051b29b70bc0cc3e44bc0edc5d17917.zip
FreeBSD-src-5d5e8db79051b29b70bc0cc3e44bc0edc5d17917.tar.gz
Add overflow checks: if output size becomes bigger than INT_MAX,
just return EOF
Diffstat (limited to 'lib/libc/stdio')
-rw-r--r--lib/libc/stdio/vfprintf.c15
1 files changed, 13 insertions, 2 deletions
diff --git a/lib/libc/stdio/vfprintf.c b/lib/libc/stdio/vfprintf.c
index 3457c86..a325784 100644
--- a/lib/libc/stdio/vfprintf.c
+++ b/lib/libc/stdio/vfprintf.c
@@ -39,7 +39,7 @@
static char sccsid[] = "@(#)vfprintf.c 8.1 (Berkeley) 6/4/93";
#endif
static const char rcsid[] =
- "$Id: vfprintf.c,v 1.14 1997/12/24 13:47:13 ache Exp $";
+ "$Id: vfprintf.c,v 1.15 1997/12/24 23:02:43 ache Exp $";
#endif /* LIBC_SCCS and not lint */
/*
@@ -320,6 +320,7 @@ vfprintf(fp, fmt0, ap)
int dprec; /* a copy of prec if [diouxX], 0 otherwise */
int realsz; /* field size expanded by dprec, sign, etc */
int size; /* size of converted field or string */
+ int prsize; /* max size of printed field */
char *xdigs; /* digits for [xX] conversion */
#define NIOV 8
struct __suio uio; /* output information: summary */
@@ -456,6 +457,10 @@ vfprintf(fp, fmt0, ap)
for (cp = fmt; (ch = *fmt) != '\0' && ch != '%'; fmt++)
/* void */;
if ((n = fmt - cp) != 0) {
+ if ((size_t)ret + n > INT_MAX) {
+ ret = EOF;
+ goto error;
+ }
PRINT(cp, n);
ret += n;
}
@@ -780,6 +785,12 @@ number: if ((dprec = prec) >= 0)
else if (flags & HEXPREFIX)
realsz += 2;
+ prsize = width > realsz ? width : realsz;
+ if ((size_t)ret + prsize > INT_MAX) {
+ ret = EOF;
+ goto error;
+ }
+
/* right-adjusting blank padding */
if ((flags & (LADJUST|ZEROPAD)) == 0)
PAD(width - realsz, blanks);
@@ -853,7 +864,7 @@ number: if ((dprec = prec) >= 0)
PAD(width - realsz, blanks);
/* finally, adjust ret */
- ret += width > realsz ? width : realsz;
+ ret += prsize;
FLUSH(); /* copy out the I/O vectors */
}
OpenPOWER on IntegriCloud