Better strfmon(3) conversion specifiers sanity checking.

There were no checks for left and right precisions at all, and a check for field width had integer overflow bug. Reported by: Maksymilian Arciemowicz Security: http://securityreason.com/achievement_securityalert/53 Submitted by: Maxim Dounin <mdounin@mdounin.ru> MFC after: 3 days
2008-04-19 07:18:22 +00:00 · 2008-04-19 07:18:22 +00:00 · 3890416f9c
commit 3890416f9c
parent a04e98468d
1 changed files with 8 additions and 1 deletions
--- a/lib/libc/stdlib/strfmon.c
+++ b/lib/libc/stdlib/strfmon.c
@ -67,6 +67,8 @@ __FBSDID("$FreeBSD$");
 	while (isdigit((unsigned char)*fmt)) {			\
 		VAR *= 10;					\
 		VAR += *fmt - '0';				\
+		if (VAR < 0)					\
+			goto e2big_error;			\
 		fmt++;						\
 	}							\
 } while (0)
@ -187,7 +189,7 @@ strfmon(char * __restrict s, size_t maxsize, const char * __restrict format,
 			/* Do we have enough space to put number with
 			 * required width ?
 			 */
-			if (dst + width >= s + maxsize)
+			if ((unsigned int)width >= maxsize - (dst - s))
 				goto e2big_error;
 		}

@ -196,6 +198,8 @@ strfmon(char * __restrict s, size_t maxsize, const char * __restrict format,
 			if (!isdigit((unsigned char)*++fmt))
 				goto format_error;
 			GET_NUMBER(left_prec);
+			if ((unsigned int)left_prec >= maxsize - (dst - s))
+				goto e2big_error;
 		}

 		/* Right precision */
@ -203,6 +207,9 @@ strfmon(char * __restrict s, size_t maxsize, const char * __restrict format,
 			if (!isdigit((unsigned char)*++fmt))
 				goto format_error;
 			GET_NUMBER(right_prec);
+			if ((unsigned int)right_prec >= maxsize - (dst - s) -
+			    left_prec)
+				goto e2big_error;
 		}

 		/* Conversion Characters */