Unverified Commit 05595c12 authored by Yukihiro "Matz" Matsumoto's avatar Yukihiro "Matz" Matsumoto Committed by GitHub

Merge pull request #4121 from clayton-shopify/fix-sprintf-overflow

Prevent signed integer overflow.
parents 2661ac70 2760cea4
...@@ -200,7 +200,7 @@ check_name_arg(mrb_state *mrb, int posarg, const char *name, mrb_int len) ...@@ -200,7 +200,7 @@ check_name_arg(mrb_state *mrb, int posarg, const char *name, mrb_int len)
#define GETNUM(n, val) \ #define GETNUM(n, val) \
for (; p < end && ISDIGIT(*p); p++) {\ for (; p < end && ISDIGIT(*p); p++) {\
if (n > MRB_INT_MAX/10) {\ if (n > (MRB_INT_MAX - (*p - '0'))/10) {\
mrb_raise(mrb, E_ARGUMENT_ERROR, #val " too big"); \ mrb_raise(mrb, E_ARGUMENT_ERROR, #val " too big"); \
} \ } \
n = 10 * n + (*p - '0'); \ n = 10 * n + (*p - '0'); \
...@@ -1056,18 +1056,18 @@ retry: ...@@ -1056,18 +1056,18 @@ retry:
if (i > 0) if (i > 0)
need = BIT_DIGITS(i); need = BIT_DIGITS(i);
} }
need += (flags&FPREC) ? prec : 6; if (need > MRB_INT_MAX - ((flags&FPREC) ? prec : 6)) {
if (need < 0) {
too_big_width: too_big_width:
mrb_raise(mrb, E_ARGUMENT_ERROR, mrb_raise(mrb, E_ARGUMENT_ERROR,
(width > prec ? "width too big" : "prec too big")); (width > prec ? "width too big" : "prec too big"));
} }
need += (flags&FPREC) ? prec : 6;
if ((flags&FWIDTH) && need < width) if ((flags&FWIDTH) && need < width)
need = width; need = width;
need += 20; if (need > MRB_INT_MAX - 20) {
if (need <= 0) {
goto too_big_width; goto too_big_width;
} }
need += 20;
CHECK(need); CHECK(need);
n = snprintf(&buf[blen], need, fbuf, fval); n = snprintf(&buf[blen], need, fbuf, fval);
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment