luo980/curl
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

mprintf: fix the integer overflow checks

Browse Source 
When a floating point precision or string width are provided as a
base-10 number, the code could miss to detect integer overflows if the
provided value was exactly 2147483648 or 2147483649 (2147483647 being
the maxium value a signed integer can hold).

The chance that such values would actually ever be used is slim.

This change fixes the detection to also cover those edge cases.

Closes #15699
This commit is contained in:
Daniel Stenberg 2024-12-06 16:01:50 +01:00
parent ec14be6a4d
commit 59fec5ac43
No known key found for this signature in database
GPG Key ID: 5CC908FDB71E12C2
1 changed files with 6 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
lib/mprintf.c
View File

@ -321,10 +321,10 @@ static int parsefmt(const char *format,
fmt++; fmt++;
} }
while(ISDIGIT(*fmt)) { while(ISDIGIT(*fmt)) {
if(precision > INT_MAX/10) int n = *fmt - '0';
if(precision > (INT_MAX - n) / 10)
return PFMT_PREC; return PFMT_PREC;
precision *= 10; precision = precision * 10 + n;
precision += *fmt - '0';
fmt++; fmt++;
} }
if(is_neg) if(is_neg)
@ -397,10 +397,10 @@ static int parsefmt(const char *format,
width = 0; width = 0;
fmt--; fmt--;
do { do {
if(width > INT_MAX/10) int n = *fmt - '0';
if(width > (INT_MAX - n) / 10)
return PFMT_WIDTH; return PFMT_WIDTH;
width *= 10; width = width * 10 + n;
width += *fmt - '0';
fmt++; fmt++;
} while(ISDIGIT(*fmt)); } while(ISDIGIT(*fmt));
break; break;