diff options
| author | brooks <brooks@FreeBSD.org> | 2017-04-24 21:35:02 +0000 |
|---|---|---|
| committer | brooks <brooks@FreeBSD.org> | 2017-04-24 21:35:02 +0000 |
| commit | b14e85d2ea3800b9e3e8978f553b877a5792918a (patch) | |
| tree | d052660aeb7b200f23e8588cd901e9b70899ce8d /lib/libutil/humanize_number.c | |
| parent | cf4ab84469a788112504e003f9d924a9b6341c96 (diff) | |
| download | FreeBSD-src-b14e85d2ea3800b9e3e8978f553b877a5792918a.zip FreeBSD-src-b14e85d2ea3800b9e3e8978f553b877a5792918a.tar.gz | |
MFC r316766:
Correct an out of bounds read with HN_AUTOSCALE and very large numbers.
The maximum scale is 6 (K, M, G, T, P, E) (B is 0).
Overly large explict scales were checked correctly, but for sufficently
large numbers HN_AUTOSCALE would get to 7 resulting in an out of bounds
read.
Found with humanize_number_test and CHERI bounds checking.
Reviewed by: emaste
Obtained from: CheriBSD
Sponsored by: DARPA, AFRL
Diffstat (limited to 'lib/libutil/humanize_number.c')
| -rw-r--r-- | lib/libutil/humanize_number.c | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/lib/libutil/humanize_number.c b/lib/libutil/humanize_number.c index b773422..675a969 100644 --- a/lib/libutil/humanize_number.c +++ b/lib/libutil/humanize_number.c @@ -43,7 +43,7 @@ __FBSDID("$FreeBSD$"); #include <locale.h> #include <libutil.h> -static const int maxscale = 7; +static const int maxscale = 6; int humanize_number(char *buf, size_t len, int64_t quotient, @@ -64,7 +64,7 @@ humanize_number(char *buf, size_t len, int64_t quotient, return (-1); if (scale < 0) return (-1); - else if (scale >= maxscale && + else if (scale > maxscale && ((scale & ~(HN_AUTOSCALE|HN_GETSCALE)) != 0)) return (-1); if ((flags & HN_DIVISOR_1000) && (flags & HN_IEC_PREFIXES)) |
