diff options
author | ache <ache@FreeBSD.org> | 1997-12-25 00:32:17 +0000 |
---|---|---|
committer | ache <ache@FreeBSD.org> | 1997-12-25 00:32:17 +0000 |
commit | 5d5e8db79051b29b70bc0cc3e44bc0edc5d17917 (patch) | |
tree | 329baa02d778b3b1974324954c45ef7f868d777a /lib | |
parent | e4ef30b29d1d3250c08542d07819f104cf79cce0 (diff) | |
download | FreeBSD-src-5d5e8db79051b29b70bc0cc3e44bc0edc5d17917.zip FreeBSD-src-5d5e8db79051b29b70bc0cc3e44bc0edc5d17917.tar.gz |
Add overflow checks: if output size becomes bigger than INT_MAX,
just return EOF
Diffstat (limited to 'lib')
-rw-r--r-- | lib/libc/stdio/vfprintf.c | 15 |
1 files changed, 13 insertions, 2 deletions
diff --git a/lib/libc/stdio/vfprintf.c b/lib/libc/stdio/vfprintf.c index 3457c86..a325784 100644 --- a/lib/libc/stdio/vfprintf.c +++ b/lib/libc/stdio/vfprintf.c @@ -39,7 +39,7 @@ static char sccsid[] = "@(#)vfprintf.c 8.1 (Berkeley) 6/4/93"; #endif static const char rcsid[] = - "$Id: vfprintf.c,v 1.14 1997/12/24 13:47:13 ache Exp $"; + "$Id: vfprintf.c,v 1.15 1997/12/24 23:02:43 ache Exp $"; #endif /* LIBC_SCCS and not lint */ /* @@ -320,6 +320,7 @@ vfprintf(fp, fmt0, ap) int dprec; /* a copy of prec if [diouxX], 0 otherwise */ int realsz; /* field size expanded by dprec, sign, etc */ int size; /* size of converted field or string */ + int prsize; /* max size of printed field */ char *xdigs; /* digits for [xX] conversion */ #define NIOV 8 struct __suio uio; /* output information: summary */ @@ -456,6 +457,10 @@ vfprintf(fp, fmt0, ap) for (cp = fmt; (ch = *fmt) != '\0' && ch != '%'; fmt++) /* void */; if ((n = fmt - cp) != 0) { + if ((size_t)ret + n > INT_MAX) { + ret = EOF; + goto error; + } PRINT(cp, n); ret += n; } @@ -780,6 +785,12 @@ number: if ((dprec = prec) >= 0) else if (flags & HEXPREFIX) realsz += 2; + prsize = width > realsz ? width : realsz; + if ((size_t)ret + prsize > INT_MAX) { + ret = EOF; + goto error; + } + /* right-adjusting blank padding */ if ((flags & (LADJUST|ZEROPAD)) == 0) PAD(width - realsz, blanks); @@ -853,7 +864,7 @@ number: if ((dprec = prec) >= 0) PAD(width - realsz, blanks); /* finally, adjust ret */ - ret += width > realsz ? width : realsz; + ret += prsize; FLUSH(); /* copy out the I/O vectors */ } |