diff options
author | Ruslan Ermilov <ru@FreeBSD.org> | 2008-04-19 07:18:22 +0000 |
---|---|---|
committer | Ruslan Ermilov <ru@FreeBSD.org> | 2008-04-19 07:18:22 +0000 |
commit | 3890416f9c76b1736442d49b1f46e603eebee87b (patch) | |
tree | 0fe96ccf4da176e374ecf8218316fc81d1215132 /lib | |
parent | a04e98468d2fa0733211dfd47a0229f71c673ba7 (diff) | |
download | src-3890416f9c76b1736442d49b1f46e603eebee87b.tar.gz src-3890416f9c76b1736442d49b1f46e603eebee87b.zip |
Better strfmon(3) conversion specifiers sanity checking.
There were no checks for left and right precisions at all, and
a check for field width had integer overflow bug.
Reported by: Maksymilian Arciemowicz
Security: http://securityreason.com/achievement_securityalert/53
Submitted by: Maxim Dounin <mdounin@mdounin.ru>
MFC after: 3 days
Notes
Notes:
svn path=/head/; revision=178312
Diffstat (limited to 'lib')
-rw-r--r-- | lib/libc/stdlib/strfmon.c | 9 |
1 files changed, 8 insertions, 1 deletions
diff --git a/lib/libc/stdlib/strfmon.c b/lib/libc/stdlib/strfmon.c index 7ebded7a4c0c..abfa33249223 100644 --- a/lib/libc/stdlib/strfmon.c +++ b/lib/libc/stdlib/strfmon.c @@ -67,6 +67,8 @@ __FBSDID("$FreeBSD$"); while (isdigit((unsigned char)*fmt)) { \ VAR *= 10; \ VAR += *fmt - '0'; \ + if (VAR < 0) \ + goto e2big_error; \ fmt++; \ } \ } while (0) @@ -187,7 +189,7 @@ strfmon(char * __restrict s, size_t maxsize, const char * __restrict format, /* Do we have enough space to put number with * required width ? */ - if (dst + width >= s + maxsize) + if ((unsigned int)width >= maxsize - (dst - s)) goto e2big_error; } @@ -196,6 +198,8 @@ strfmon(char * __restrict s, size_t maxsize, const char * __restrict format, if (!isdigit((unsigned char)*++fmt)) goto format_error; GET_NUMBER(left_prec); + if ((unsigned int)left_prec >= maxsize - (dst - s)) + goto e2big_error; } /* Right precision */ @@ -203,6 +207,9 @@ strfmon(char * __restrict s, size_t maxsize, const char * __restrict format, if (!isdigit((unsigned char)*++fmt)) goto format_error; GET_NUMBER(right_prec); + if ((unsigned int)right_prec >= maxsize - (dst - s) - + left_prec) + goto e2big_error; } /* Conversion Characters */ |