Merge pull request #4121 from clayton-shopify/fix-sprintf-overflow

Prevent signed integer overflow.

Merge pull request #4121 from clayton-shopify/fix-sprintf-overflow
Prevent signed integer overflow.
05595c12 · Yukihiro "Matz" Matsumoto · GitHub · 2661ac70 · 2760cea4 · 05595c12
Unverified Commit 05595c12 authored Sep 16, 2018 by Yukihiro "Matz" Matsumoto Committed by GitHub Sep 16, 2018
Hide whitespace changes
Inline Side-by-side

Showing with 5 additions and 5 deletions

mrbgems/mruby-sprintf/src/sprintf.c mrbgems/mruby-sprintf/src/sprintf.c +5 -5

No files found.
--- a/mrbgems/mruby-sprintf/src/sprintf.c
+++ b/mrbgems/mruby-sprintf/src/sprintf.c
@@ -200,7 +200,7 @@ check_name_arg(mrb_state *mrb, int posarg, const char *name, mrb_int len)

 #define GETNUM(n, val) \
  for (; p < end && ISDIGIT(*p); p++) {\
-    if (n > MRB_INT_MAX/10) {\
+    if (n > (MRB_INT_MAX - (*p - '0'))/10) {\
      mrb_raise(mrb, E_ARGUMENT_ERROR, #val " too big"); \
    } \
    n = 10 * n + (*p - '0'); \
@@ -1056,18 +1056,18 @@ retry:
          if (i > 0)
            need = BIT_DIGITS(i);
        }
-        need += (flags&FPREC) ? prec : 6;
-        if (need < 0) {
+        if (need > MRB_INT_MAX - ((flags&FPREC) ? prec : 6)) {
        too_big_width:
          mrb_raise(mrb, E_ARGUMENT_ERROR,
                    (width > prec ? "width too big" : "prec too big"));
        }
+        need += (flags&FPREC) ? prec : 6;
        if ((flags&FWIDTH) && need < width)
          need = width;
-        need += 20;
-        if (need <= 0) {
+        if (need > MRB_INT_MAX - 20) {
          goto too_big_width;
        }
+        need += 20;

        CHECK(need);
        n = snprintf(&buf[blen], need, fbuf, fval);