From 5d5e8db79051b29b70bc0cc3e44bc0edc5d17917 Mon Sep 17 00:00:00 2001 From: ache Date: Thu, 25 Dec 1997 00:32:17 +0000 Subject: Add overflow checks: if output size becomes bigger than INT_MAX, just return EOF --- lib/libc/stdio/vfprintf.c | 15 +++++++++++++-- 1 file changed, 13 insertions(+), 2 deletions(-) (limited to 'lib/libc/stdio') diff --git a/lib/libc/stdio/vfprintf.c b/lib/libc/stdio/vfprintf.c index 3457c86..a325784 100644 --- a/lib/libc/stdio/vfprintf.c +++ b/lib/libc/stdio/vfprintf.c @@ -39,7 +39,7 @@ static char sccsid[] = "@(#)vfprintf.c 8.1 (Berkeley) 6/4/93"; #endif static const char rcsid[] = - "$Id: vfprintf.c,v 1.14 1997/12/24 13:47:13 ache Exp $"; + "$Id: vfprintf.c,v 1.15 1997/12/24 23:02:43 ache Exp $"; #endif /* LIBC_SCCS and not lint */ /* @@ -320,6 +320,7 @@ vfprintf(fp, fmt0, ap) int dprec; /* a copy of prec if [diouxX], 0 otherwise */ int realsz; /* field size expanded by dprec, sign, etc */ int size; /* size of converted field or string */ + int prsize; /* max size of printed field */ char *xdigs; /* digits for [xX] conversion */ #define NIOV 8 struct __suio uio; /* output information: summary */ @@ -456,6 +457,10 @@ vfprintf(fp, fmt0, ap) for (cp = fmt; (ch = *fmt) != '\0' && ch != '%'; fmt++) /* void */; if ((n = fmt - cp) != 0) { + if ((size_t)ret + n > INT_MAX) { + ret = EOF; + goto error; + } PRINT(cp, n); ret += n; } @@ -780,6 +785,12 @@ number: if ((dprec = prec) >= 0) else if (flags & HEXPREFIX) realsz += 2; + prsize = width > realsz ? width : realsz; + if ((size_t)ret + prsize > INT_MAX) { + ret = EOF; + goto error; + } + /* right-adjusting blank padding */ if ((flags & (LADJUST|ZEROPAD)) == 0) PAD(width - realsz, blanks); @@ -853,7 +864,7 @@ number: if ((dprec = prec) >= 0) PAD(width - realsz, blanks); /* finally, adjust ret */ - ret += width > realsz ? width : realsz; + ret += prsize; FLUSH(); /* copy out the I/O vectors */ } -- cgit v1.1