Add overflow checks: if output size becomes bigger than INT_MAX,

just return EOF
1997-12-25 00:32:17 +00:00 · 1997-12-25 00:32:17 +00:00 · 92e88f87b9
commit 92e88f87b9
parent fb25537fb8
1 changed files with 13 additions and 2 deletions
--- a/lib/libc/stdio/vfprintf.c
+++ b/lib/libc/stdio/vfprintf.c
@ -39,7 +39,7 @@
 static char sccsid[] = "@(#)vfprintf.c	8.1 (Berkeley) 6/4/93";
 #endif
 static const char rcsid[] =
-		"$Id: vfprintf.c,v 1.14 1997/12/24 13:47:13 ache Exp $";
+		"$Id: vfprintf.c,v 1.15 1997/12/24 23:02:43 ache Exp $";
 #endif /* LIBC_SCCS and not lint */

 /*
@ -320,6 +320,7 @@ vfprintf(fp, fmt0, ap)
 	int dprec;		/* a copy of prec if [diouxX], 0 otherwise */
 	int realsz;		/* field size expanded by dprec, sign, etc */
 	int size;		/* size of converted field or string */
+	int prsize;             /* max size of printed field */
 	char *xdigs;		/* digits for [xX] conversion */
 #define NIOV 8
 	struct __suio uio;	/* output information: summary */
@ -456,6 +457,10 @@ vfprintf(fp, fmt0, ap)
 		for (cp = fmt; (ch = *fmt) != '\0' && ch != '%'; fmt++)
 			/* void */;
 		if ((n = fmt - cp) != 0) {
+			if ((size_t)ret + n > INT_MAX) {
+				ret = EOF;
+				goto error;
+			}
 			PRINT(cp, n);
 			ret += n;
 		}
@ -780,6 +785,12 @@ number:			if ((dprec = prec) >= 0)
 		else if (flags & HEXPREFIX)
 			realsz += 2;

+		prsize = width > realsz ? width : realsz;
+		if ((size_t)ret + prsize > INT_MAX) {
+			ret = EOF;
+			goto error;
+		}
+
 		/* right-adjusting blank padding */
 		if ((flags & (LADJUST|ZEROPAD)) == 0)
 			PAD(width - realsz, blanks);
@ -853,7 +864,7 @@ number:			if ((dprec = prec) >= 0)
 			PAD(width - realsz, blanks);

 		/* finally, adjust ret */
-		ret += width > realsz ? width : realsz;
+		ret += prsize;

 		FLUSH();	/* copy out the I/O vectors */
 	}