From 72f0a13e60eecbe42e7dc9cb8694efb36f9033d1 Mon Sep 17 00:00:00 2001 From: Brooks Davis Date: Thu, 13 Apr 2017 15:49:32 +0000 Subject: [PATCH] Correct an out of bounds read with HN_AUTOSCALE and very large numbers. The maximum scale is 6 (K, M, G, T, P, E) (B is 0). Overly large explict scales were checked correctly, but for sufficently large numbers HN_AUTOSCALE would get to 7 resulting in an out of bounds read. Found with humanize_number_test and CHERI bounds checking. Reviewed by: emaste Obtained from: CheriBSD MFC after: 1 week Sponsored by: DARPA, AFRL Differential Revision: https://reviews.freebsd.org/D10376 --- lib/libutil/humanize_number.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lib/libutil/humanize_number.c b/lib/libutil/humanize_number.c index b773422475b3..675a969aaa1e 100644 --- a/lib/libutil/humanize_number.c +++ b/lib/libutil/humanize_number.c @@ -43,7 +43,7 @@ __FBSDID("$FreeBSD$"); #include #include -static const int maxscale = 7; +static const int maxscale = 6; int humanize_number(char *buf, size_t len, int64_t quotient, @@ -64,7 +64,7 @@ humanize_number(char *buf, size_t len, int64_t quotient, return (-1); if (scale < 0) return (-1); - else if (scale >= maxscale && + else if (scale > maxscale && ((scale & ~(HN_AUTOSCALE|HN_GETSCALE)) != 0)) return (-1); if ((flags & HN_DIVISOR_1000) && (flags & HN_IEC_PREFIXES))