Detect integer overflow and limit the number of positional
arguments in the string format. Sponsored by: DARPA, AFRL Sponsored by: HEIF5 Differential Revision: https://reviews.freebsd.org/D8286
This commit is contained in:
Ruslan Bukin
parent
e2efc9becb
commit
130a08a362
@ -120,12 +120,6 @@ ATF_TC_BODY(snprintf_posarg_error, tc)
|
|||||||
{
|
{
|
||||||
char s[16], fmt[32];
|
char s[16], fmt[32];
|
||||||
|
|
||||||
#ifndef __NetBSD__
|
|
||||||
atf_tc_expect_signal(SIGSEGV,
|
|
||||||
"some non-NetBSD platforms including FreeBSD don't validate "
|
|
||||||
"negative size; testcase blows up with SIGSEGV");
|
|
||||||
#endif
|
|
||||||
|
|
||||||
snprintf(fmt, sizeof(fmt), "%%%zu$d", SIZE_MAX / sizeof(size_t));
|
snprintf(fmt, sizeof(fmt), "%%%zu$d", SIZE_MAX / sizeof(size_t));
|
||||||
|
|
||||||
ATF_CHECK(snprintf(s, sizeof(s), fmt, -23) == -1);
|
ATF_CHECK(snprintf(s, sizeof(s), fmt, -23) == -1);
|
||||||
|
|||||||
@ -120,7 +120,7 @@
|
|||||||
#endif
|
#endif
|
||||||
|
|
||||||
#if __XSI_VISIBLE || __POSIX_VISIBLE >= 200809
|
#if __XSI_VISIBLE || __POSIX_VISIBLE >= 200809
|
||||||
#define NL_ARGMAX 99 /* max # of position args for printf */
|
#define NL_ARGMAX 65536 /* max # of position args for printf */
|
||||||
#define NL_MSGMAX 32767
|
#define NL_MSGMAX 32767
|
||||||
#define NL_SETMAX 255
|
#define NL_SETMAX 255
|
||||||
#define NL_TEXTMAX 2048
|
#define NL_TEXTMAX 2048
|
||||||
|
|||||||
@ -44,6 +44,7 @@ __FBSDID("$FreeBSD$");
|
|||||||
#include "namespace.h"
|
#include "namespace.h"
|
||||||
#include <sys/types.h>
|
#include <sys/types.h>
|
||||||
|
|
||||||
|
#include <limits.h>
|
||||||
#include <stdarg.h>
|
#include <stdarg.h>
|
||||||
#include <stddef.h>
|
#include <stddef.h>
|
||||||
#include <stdint.h>
|
#include <stdint.h>
|
||||||
@ -55,6 +56,12 @@ __FBSDID("$FreeBSD$");
|
|||||||
#include "un-namespace.h"
|
#include "un-namespace.h"
|
||||||
#include "printflocal.h"
|
#include "printflocal.h"
|
||||||
|
|
||||||
|
#ifdef NL_ARGMAX
|
||||||
|
#define MAX_POSARG NL_ARGMAX
|
||||||
|
#else
|
||||||
|
#define MAX_POSARG 65536
|
||||||
|
#endif
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* Type ids for argument type table.
|
* Type ids for argument type table.
|
||||||
*/
|
*/
|
||||||
@ -70,9 +77,9 @@ enum typeid {
|
|||||||
struct typetable {
|
struct typetable {
|
||||||
enum typeid *table; /* table of types */
|
enum typeid *table; /* table of types */
|
||||||
enum typeid stattable[STATIC_ARG_TBL_SIZE];
|
enum typeid stattable[STATIC_ARG_TBL_SIZE];
|
||||||
int tablesize; /* current size of type table */
|
u_int tablesize; /* current size of type table */
|
||||||
int tablemax; /* largest used index in table */
|
u_int tablemax; /* largest used index in table */
|
||||||
int nextarg; /* 1-based argument index */
|
u_int nextarg; /* 1-based argument index */
|
||||||
};
|
};
|
||||||
|
|
||||||
static int __grow_type_table(struct typetable *);
|
static int __grow_type_table(struct typetable *);
|
||||||
@ -84,7 +91,7 @@ static void build_arg_table (struct typetable *, va_list, union arg **);
|
|||||||
static inline void
|
static inline void
|
||||||
inittypes(struct typetable *types)
|
inittypes(struct typetable *types)
|
||||||
{
|
{
|
||||||
int n;
|
u_int n;
|
||||||
|
|
||||||
types->table = types->stattable;
|
types->table = types->stattable;
|
||||||
types->tablesize = STATIC_ARG_TBL_SIZE;
|
types->tablesize = STATIC_ARG_TBL_SIZE;
|
||||||
@ -185,7 +192,7 @@ static inline int
|
|||||||
addaster(struct typetable *types, char **fmtp)
|
addaster(struct typetable *types, char **fmtp)
|
||||||
{
|
{
|
||||||
char *cp;
|
char *cp;
|
||||||
int n2;
|
u_int n2;
|
||||||
|
|
||||||
n2 = 0;
|
n2 = 0;
|
||||||
cp = *fmtp;
|
cp = *fmtp;
|
||||||
@ -194,7 +201,7 @@ addaster(struct typetable *types, char **fmtp)
|
|||||||
cp++;
|
cp++;
|
||||||
}
|
}
|
||||||
if (*cp == '$') {
|
if (*cp == '$') {
|
||||||
int hold = types->nextarg;
|
u_int hold = types->nextarg;
|
||||||
types->nextarg = n2;
|
types->nextarg = n2;
|
||||||
if (addtype(types, T_INT))
|
if (addtype(types, T_INT))
|
||||||
return (-1);
|
return (-1);
|
||||||
@ -211,7 +218,7 @@ static inline int
|
|||||||
addwaster(struct typetable *types, wchar_t **fmtp)
|
addwaster(struct typetable *types, wchar_t **fmtp)
|
||||||
{
|
{
|
||||||
wchar_t *cp;
|
wchar_t *cp;
|
||||||
int n2;
|
u_int n2;
|
||||||
|
|
||||||
n2 = 0;
|
n2 = 0;
|
||||||
cp = *fmtp;
|
cp = *fmtp;
|
||||||
@ -220,7 +227,7 @@ addwaster(struct typetable *types, wchar_t **fmtp)
|
|||||||
cp++;
|
cp++;
|
||||||
}
|
}
|
||||||
if (*cp == '$') {
|
if (*cp == '$') {
|
||||||
int hold = types->nextarg;
|
u_int hold = types->nextarg;
|
||||||
types->nextarg = n2;
|
types->nextarg = n2;
|
||||||
if (addtype(types, T_INT))
|
if (addtype(types, T_INT))
|
||||||
return (-1);
|
return (-1);
|
||||||
@ -245,7 +252,7 @@ __find_arguments (const char *fmt0, va_list ap, union arg **argtable)
|
|||||||
{
|
{
|
||||||
char *fmt; /* format string */
|
char *fmt; /* format string */
|
||||||
int ch; /* character from fmt */
|
int ch; /* character from fmt */
|
||||||
int n; /* handy integer (short term usage) */
|
u_int n; /* handy integer (short term usage) */
|
||||||
int error;
|
int error;
|
||||||
int flags; /* flags as above */
|
int flags; /* flags as above */
|
||||||
struct typetable types; /* table of types */
|
struct typetable types; /* table of types */
|
||||||
@ -296,6 +303,11 @@ reswitch: switch (ch) {
|
|||||||
n = 0;
|
n = 0;
|
||||||
do {
|
do {
|
||||||
n = 10 * n + to_digit(ch);
|
n = 10 * n + to_digit(ch);
|
||||||
|
/* Detect overflow */
|
||||||
|
if (n > MAX_POSARG) {
|
||||||
|
error = -1;
|
||||||
|
goto error;
|
||||||
|
}
|
||||||
ch = *fmt++;
|
ch = *fmt++;
|
||||||
} while (is_digit(ch));
|
} while (is_digit(ch));
|
||||||
if (ch == '$') {
|
if (ch == '$') {
|
||||||
@ -433,7 +445,7 @@ __find_warguments (const wchar_t *fmt0, va_list ap, union arg **argtable)
|
|||||||
{
|
{
|
||||||
wchar_t *fmt; /* format string */
|
wchar_t *fmt; /* format string */
|
||||||
wchar_t ch; /* character from fmt */
|
wchar_t ch; /* character from fmt */
|
||||||
int n; /* handy integer (short term usage) */
|
u_int n; /* handy integer (short term usage) */
|
||||||
int error;
|
int error;
|
||||||
int flags; /* flags as above */
|
int flags; /* flags as above */
|
||||||
struct typetable types; /* table of types */
|
struct typetable types; /* table of types */
|
||||||
@ -484,6 +496,11 @@ reswitch: switch (ch) {
|
|||||||
n = 0;
|
n = 0;
|
||||||
do {
|
do {
|
||||||
n = 10 * n + to_digit(ch);
|
n = 10 * n + to_digit(ch);
|
||||||
|
/* Detect overflow */
|
||||||
|
if (n > MAX_POSARG) {
|
||||||
|
error = -1;
|
||||||
|
goto error;
|
||||||
|
}
|
||||||
ch = *fmt++;
|
ch = *fmt++;
|
||||||
} while (is_digit(ch));
|
} while (is_digit(ch));
|
||||||
if (ch == '$') {
|
if (ch == '$') {
|
||||||
@ -624,7 +641,11 @@ __grow_type_table(struct typetable *types)
|
|||||||
enum typeid *const oldtable = types->table;
|
enum typeid *const oldtable = types->table;
|
||||||
const int oldsize = types->tablesize;
|
const int oldsize = types->tablesize;
|
||||||
enum typeid *newtable;
|
enum typeid *newtable;
|
||||||
int n, newsize = oldsize * 2;
|
u_int n, newsize = oldsize * 2;
|
||||||
|
|
||||||
|
/* Detect overflow */
|
||||||
|
if (types->nextarg > NL_ARGMAX)
|
||||||
|
return (-1);
|
||||||
|
|
||||||
if (newsize < types->nextarg + 1)
|
if (newsize < types->nextarg + 1)
|
||||||
newsize = types->nextarg + 1;
|
newsize = types->nextarg + 1;
|
||||||
@ -653,7 +674,7 @@ __grow_type_table(struct typetable *types)
|
|||||||
static void
|
static void
|
||||||
build_arg_table(struct typetable *types, va_list ap, union arg **argtable)
|
build_arg_table(struct typetable *types, va_list ap, union arg **argtable)
|
||||||
{
|
{
|
||||||
int n;
|
u_int n;
|
||||||
|
|
||||||
if (types->tablemax >= STATIC_ARG_TBL_SIZE) {
|
if (types->tablemax >= STATIC_ARG_TBL_SIZE) {
|
||||||
*argtable = (union arg *)
|
*argtable = (union arg *)
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user