Fix integer overflow issue; fix #4108

I misunderstood the return value from `snprintf()`, which is NOT number of characters written in buffer, but the number of character the buffer has to have to write the complete output.

Fix integer overflow issue; fix #4108
I misunderstood the return value from `snprintf()`, which is NOT number of characters written in buffer, but the number of character the buffer has to have to write the complete output.
625976d7 · Yukihiro "Matz" Matsumoto · 3447162a · 625976d7
Commit 625976d7 authored Sep 07, 2018 by Yukihiro "Matz" Matsumoto
Show whitespace changes
Inline Side-by-side

Showing with 7 additions and 3 deletions

mrbgems/mruby-sprintf/src/sprintf.c mrbgems/mruby-sprintf/src/sprintf.c +7 -3

No files found.
--- a/mrbgems/mruby-sprintf/src/sprintf.c
+++ b/mrbgems/mruby-sprintf/src/sprintf.c
@@ -1057,17 +1057,21 @@ retry:
            need = BIT_DIGITS(i);
        }
        need += (flags&FPREC) ? prec : 6;
+        if (need < 0) {
+        too_big_width:
+          mrb_raise(mrb, E_ARGUMENT_ERROR,
+                    (width > prec ? "width too big" : "prec too big"));
+        }
        if ((flags&FWIDTH) && need < width)
          need = width;
        need += 20;
        if (need <= 0) {
-          mrb_raise(mrb, E_ARGUMENT_ERROR,
-                    (width > prec ? "width too big" : "prec too big"));
+          goto too_big_width;
        }

        CHECK(need);
        n = snprintf(&buf[blen], need, fbuf, fval);
-        if (n < 0) {
+        if (n < 0 || n >= need) {
          mrb_raise(mrb, E_RUNTIME_ERROR, "formatting error");
        }
        blen += n;