domenico/openwrt_NSS_ACW
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
2912f9f2a2e5997df069d38e20d85ff4cc51acef
openwrt_NSS_ACW/toolchain/musl/patches/040-fix-integer-overflows-and-uncaught-eoverflow-in-printf-core.patch
Koen Vandeputte 2912f9f2a2 musl: backport various post-1.1.15 fixes 
Backport most important fixes up to latest HEAD

- Taken post-commit reverts/fixes into account

Compile tested
Run-tested on cns3xxx & imx6 targets

Signed-off-by: Koen Vandeputte <koen.vandeputte@ncentric.com>
2016-12-26 11:17:33 +01:00

391 lines
12 KiB
Diff
Raw Blame History

From 167dfe9672c116b315e72e57a55c7769f180dffa Mon Sep 17 00:00:00 2001
From: Rich Felker <dalias@aerifal.cx>
Date: Thu, 20 Oct 2016 00:22:09 -0400
Subject: fix integer overflows and uncaught EOVERFLOW in printf core
this patch fixes a large number of missed internal signed-overflow
checks and errors in determining when the return value (output length)
would exceed INT_MAX, which should result in EOVERFLOW. some of the
issues fixed were reported by Alexander Cherepanov; others were found
in subsequent review of the code.
aside from the signed overflows being undefined behavior, the
following specific bugs were found to exist in practice:
- overflows computing length of floating point formats with huge
explicit precisions, integer formats with prefix characters and huge
explicit precisions, or string arguments or format strings longer
than INT_MAX, resulted in wrong return value and wrong %n results.
- literal width and precision values outside the range of int were
misinterpreted, yielding wrong behavior in at least one well-defined
case: string formats with precision greater than INT_MAX were
sometimes truncated.
- in cases where EOVERFLOW is produced, incorrect values could be
written for %n specifiers past the point of exceeding INT_MAX.
in addition to fixing these bugs, we now stop producing output
immediately when output length would exceed INT_MAX, rather than
continuing and returning an error only at the end.
---
src/stdio/vfprintf.c | 72 +++++++++++++++++++++++++++++++++++----------------
src/stdio/vfwprintf.c | 63 +++++++++++++++++++++++++++-----------------
2 files changed, 89 insertions(+), 46 deletions(-)
diff --git a/src/stdio/vfprintf.c b/src/stdio/vfprintf.c
index cd17ad7..e2ab2dc 100644
--- a/src/stdio/vfprintf.c
+++ b/src/stdio/vfprintf.c
@@ -272,6 +272,8 @@ static int fmt_fp(FILE *f, long double y, int w, int p, int fl, int t)
if (s-buf==1 && (y||p>0||(fl&ALT_FORM))) *s++='.';
} while (y);
+ if (p > INT_MAX-2-(ebuf-estr)-pl)
+ return -1;
if (p && s-buf-2 < p)
l = (p+2) + (ebuf-estr);
else
@@ -383,17 +385,22 @@ static int fmt_fp(FILE *f, long double y, int w, int p, int fl, int t)
p = MIN(p,MAX(0,9*(z-r-1)+e-j));
}
}
+ if (p > INT_MAX-1-(p || (fl&ALT_FORM)))
+ return -1;
l = 1 + p + (p || (fl&ALT_FORM));
if ((t|32)=='f') {
+ if (e > INT_MAX-l) return -1;
if (e>0) l+=e;
} else {
estr=fmt_u(e<0 ? -e : e, ebuf);
while(ebuf-estr<2) *--estr='0';
*--estr = (e<0 ? '-' : '+');
*--estr = t;
+ if (ebuf-estr > INT_MAX-l) return -1;
l += ebuf-estr;
}
+ if (l > INT_MAX-pl) return -1;
pad(f, ' ', w, pl+l, fl);
out(f, prefix, pl);
pad(f, '0', w, pl+l, fl^ZERO_PAD);
@@ -437,8 +444,10 @@ static int fmt_fp(FILE *f, long double y, int w, int p, int fl, int t)
static int getint(char **s) {
int i;
- for (i=0; isdigit(**s); (*s)++)
- i = 10*i + (**s-'0');
+ for (i=0; isdigit(**s); (*s)++) {
+ if (i > INT_MAX/10U || **s-'0' > INT_MAX-10*i) i = -1;
+ else i = 10*i + (**s-'0');
+ }
return i;
}
@@ -446,12 +455,12 @@ static int printf_core(FILE *f, const char *fmt, va_list *ap, union arg *nl_arg,
{
char *a, *z, *s=(char *)fmt;
unsigned l10n=0, fl;
- int w, p;
+ int w, p, xp;
union arg arg;
int argpos;
unsigned st, ps;
int cnt=0, l=0;
- int i;
+ size_t i;
char buf[sizeof(uintmax_t)*3+3+LDBL_MANT_DIG/4];
const char *prefix;
int t, pl;
@@ -459,18 +468,19 @@ static int printf_core(FILE *f, const char *fmt, va_list *ap, union arg *nl_arg,
char mb[4];
for (;;) {
+ /* This error is only specified for snprintf, but since it's
+ * unspecified for other forms, do the same. Stop immediately
+ * on overflow; otherwise %n could produce wrong results. */
+ if (l > INT_MAX - cnt) goto overflow;
+
/* Update output count, end loop when fmt is exhausted */
- if (cnt >= 0) {
- if (l > INT_MAX - cnt) {
- errno = EOVERFLOW;
- cnt = -1;
- } else cnt += l;
- }
+ cnt += l;
if (!*s) break;
/* Handle literal text and %% format specifiers */
for (a=s; *s && *s!='%'; s++);
for (z=s; s[0]=='%' && s[1]=='%'; z++, s+=2);
+ if (z-a > INT_MAX-cnt) goto overflow;
l = z-a;
if (f) out(f, a, l);
if (l) continue;
@@ -498,9 +508,9 @@ static int printf_core(FILE *f, const char *fmt, va_list *ap, union arg *nl_arg,
} else if (!l10n) {
w = f ? va_arg(*ap, int) : 0;
s++;
- } else return -1;
+ } else goto inval;
if (w<0) fl|=LEFT_ADJ, w=-w;
- } else if ((w=getint(&s))<0) return -1;
+ } else if ((w=getint(&s))<0) goto overflow;
/* Read precision */
if (*s=='.' && s[1]=='*') {
@@ -511,24 +521,29 @@ static int printf_core(FILE *f, const char *fmt, va_list *ap, union arg *nl_arg,
} else if (!l10n) {
p = f ? va_arg(*ap, int) : 0;
s+=2;
- } else return -1;
+ } else goto inval;
+ xp = (p>=0);
} else if (*s=='.') {
s++;
p = getint(&s);
- } else p = -1;
+ xp = 1;
+ } else {
+ p = -1;
+ xp = 0;
+ }
/* Format specifier state machine */
st=0;
do {
- if (OOB(*s)) return -1;
+ if (OOB(*s)) goto inval;
ps=st;
st=states[st]S(*s++);
} while (st-1<STOP);
- if (!st) return -1;
+ if (!st) goto inval;
/* Check validity of argument type (nl/normal) */
if (st==NOARG) {
- if (argpos>=0) return -1;
+ if (argpos>=0) goto inval;
} else {
if (argpos>=0) nl_type[argpos]=st, arg=nl_arg[argpos];
else if (f) pop_arg(&arg, st, ap);
@@ -584,6 +599,7 @@ static int printf_core(FILE *f, const char *fmt, va_list *ap, union arg *nl_arg,
case 'u':
a = fmt_u(arg.i, z);
}
+ if (xp && p<0) goto overflow;
if (p>=0) fl &= ~ZERO_PAD;
if (!arg.i && !p) {
a=z;
@@ -599,9 +615,9 @@ static int printf_core(FILE *f, const char *fmt, va_list *ap, union arg *nl_arg,
if (1) a = strerror(errno); else
case 's':
a = arg.p ? arg.p : "(null)";
- z = memchr(a, 0, p);
- if (!z) z=a+p;
- else p=z-a;
+ z = a + strnlen(a, p<0 ? INT_MAX : p);
+ if (p<0 && *z) goto overflow;
+ p = z-a;
fl &= ~ZERO_PAD;
break;
case 'C':
@@ -611,8 +627,9 @@ static int printf_core(FILE *f, const char *fmt, va_list *ap, union arg *nl_arg,
p = -1;
case 'S':
ws = arg.p;
- for (i=l=0; i<0U+p && *ws && (l=wctomb(mb, *ws++))>=0 && l<=0U+p-i; i+=l);
+ for (i=l=0; i<p && *ws && (l=wctomb(mb, *ws++))>=0 && l<=p-i; i+=l);
if (l<0) return -1;
+ if (i > INT_MAX) goto overflow;
p = i;
pad(f, ' ', w, p, fl);
ws = arg.p;
@@ -623,12 +640,16 @@ static int printf_core(FILE *f, const char *fmt, va_list *ap, union arg *nl_arg,
continue;
case 'e': case 'f': case 'g': case 'a':
case 'E': case 'F': case 'G': case 'A':
+ if (xp && p<0) goto overflow;
l = fmt_fp(f, arg.f, w, p, fl, t);
+ if (l<0) goto overflow;
continue;
}
if (p < z-a) p = z-a;
+ if (p > INT_MAX-pl) goto overflow;
if (w < pl+p) w = pl+p;
+ if (w > INT_MAX-cnt) goto overflow;
pad(f, ' ', w, pl+p, fl);
out(f, prefix, pl);
@@ -646,8 +667,15 @@ static int printf_core(FILE *f, const char *fmt, va_list *ap, union arg *nl_arg,
for (i=1; i<=NL_ARGMAX && nl_type[i]; i++)
pop_arg(nl_arg+i, nl_type[i], ap);
for (; i<=NL_ARGMAX && !nl_type[i]; i++);
- if (i<=NL_ARGMAX) return -1;
+ if (i<=NL_ARGMAX) goto inval;
return 1;
+
+inval:
+ errno = EINVAL;
+ return -1;
+overflow:
+ errno = EOVERFLOW;
+ return -1;
}
int vfprintf(FILE *restrict f, const char *restrict fmt, va_list ap)
diff --git a/src/stdio/vfwprintf.c b/src/stdio/vfwprintf.c
index f9f1ecf..b8fff20 100644
--- a/src/stdio/vfwprintf.c
+++ b/src/stdio/vfwprintf.c
@@ -154,8 +154,10 @@ static void out(FILE *f, const wchar_t *s, size_t l)
static int getint(wchar_t **s) {
int i;
- for (i=0; iswdigit(**s); (*s)++)
- i = 10*i + (**s-'0');
+ for (i=0; iswdigit(**s); (*s)++) {
+ if (i > INT_MAX/10U || **s-'0' > INT_MAX-10*i) i = -1;
+ else i = 10*i + (**s-'0');
+ }
return i;
}
@@ -168,8 +170,8 @@ static const char sizeprefix['y'-'a'] = {
static int wprintf_core(FILE *f, const wchar_t *fmt, va_list *ap, union arg *nl_arg, int *nl_type)
{
wchar_t *a, *z, *s=(wchar_t *)fmt;
- unsigned l10n=0, litpct, fl;
- int w, p;
+ unsigned l10n=0, fl;
+ int w, p, xp;
union arg arg;
int argpos;
unsigned st, ps;
@@ -181,20 +183,19 @@ static int wprintf_core(FILE *f, const wchar_t *fmt, va_list *ap, union arg *nl_
wchar_t wc;
for (;;) {
+ /* This error is only specified for snprintf, but since it's
+ * unspecified for other forms, do the same. Stop immediately
+ * on overflow; otherwise %n could produce wrong results. */
+ if (l > INT_MAX - cnt) goto overflow;
+
/* Update output count, end loop when fmt is exhausted */
- if (cnt >= 0) {
- if (l > INT_MAX - cnt) {
- if (!ferror(f)) errno = EOVERFLOW;
- cnt = -1;
- } else cnt += l;
- }
+ cnt += l;
if (!*s) break;
/* Handle literal text and %% format specifiers */
for (a=s; *s && *s!='%'; s++);
- litpct = wcsspn(s, L"%")/2; /* Optimize %%%% runs */
- z = s+litpct;
- s += 2*litpct;
+ for (z=s; s[0]=='%' && s[1]=='%'; z++, s+=2);
+ if (z-a > INT_MAX-cnt) goto overflow;
l = z-a;
if (f) out(f, a, l);
if (l) continue;
@@ -222,9 +223,9 @@ static int wprintf_core(FILE *f, const wchar_t *fmt, va_list *ap, union arg *nl_
} else if (!l10n) {
w = f ? va_arg(*ap, int) : 0;
s++;
- } else return -1;
+ } else goto inval;
if (w<0) fl|=LEFT_ADJ, w=-w;
- } else if ((w=getint(&s))<0) return -1;
+ } else if ((w=getint(&s))<0) goto overflow;
/* Read precision */
if (*s=='.' && s[1]=='*') {
@@ -235,24 +236,29 @@ static int wprintf_core(FILE *f, const wchar_t *fmt, va_list *ap, union arg *nl_
} else if (!l10n) {
p = f ? va_arg(*ap, int) : 0;
s+=2;
- } else return -1;
+ } else goto inval;
+ xp = (p>=0);
} else if (*s=='.') {
s++;
p = getint(&s);
- } else p = -1;
+ xp = 1;
+ } else {
+ p = -1;
+ xp = 0;
+ }
/* Format specifier state machine */
st=0;
do {
- if (OOB(*s)) return -1;
+ if (OOB(*s)) goto inval;
ps=st;
st=states[st]S(*s++);
} while (st-1<STOP);
- if (!st) return -1;
+ if (!st) goto inval;
/* Check validity of argument type (nl/normal) */
if (st==NOARG) {
- if (argpos>=0) return -1;
+ if (argpos>=0) goto inval;
} else {
if (argpos>=0) nl_type[argpos]=st, arg=nl_arg[argpos];
else if (f) pop_arg(&arg, st, ap);
@@ -285,8 +291,9 @@ static int wprintf_core(FILE *f, const wchar_t *fmt, va_list *ap, union arg *nl_
continue;
case 'S':
a = arg.p;
- z = wmemchr(a, 0, p);
- if (z) p=z-a;
+ z = a + wcsnlen(a, p<0 ? INT_MAX : p);
+ if (p<0 && *z) goto overflow;
+ p = z-a;
if (w<p) w=p;
if (!(fl&LEFT_ADJ)) fprintf(f, "%*s", w-p, "");
out(f, a, p);
@@ -298,9 +305,9 @@ static int wprintf_core(FILE *f, const wchar_t *fmt, va_list *ap, union arg *nl_
case 's':
if (!arg.p) arg.p = "(null)";
bs = arg.p;
- if (p<0) p = INT_MAX;
- for (i=l=0; l<p && (i=mbtowc(&wc, bs, MB_LEN_MAX))>0; bs+=i, l++);
+ for (i=l=0; l<(p<0?INT_MAX:p) && (i=mbtowc(&wc, bs, MB_LEN_MAX))>0; bs+=i, l++);
if (i<0) return -1;
+ if (p<0 && *bs) goto overflow;
p=l;
if (w<p) w=p;
if (!(fl&LEFT_ADJ)) fprintf(f, "%*s", w-p, "");
@@ -315,6 +322,7 @@ static int wprintf_core(FILE *f, const wchar_t *fmt, va_list *ap, union arg *nl_
continue;
}
+ if (xp && p<0) goto overflow;
snprintf(charfmt, sizeof charfmt, "%%%s%s%s%s%s*.*%c%c",
"#"+!(fl & ALT_FORM),
"+"+!(fl & MARK_POS),
@@ -341,6 +349,13 @@ static int wprintf_core(FILE *f, const wchar_t *fmt, va_list *ap, union arg *nl_
for (; i<=NL_ARGMAX && !nl_type[i]; i++);
if (i<=NL_ARGMAX) return -1;
return 1;
+
+inval:
+ errno = EINVAL;
+ return -1;
+overflow:
+ errno = EOVERFLOW;
+ return -1;
}
int vfwprintf(FILE *restrict f, const wchar_t *restrict fmt, va_list ap)
--
cgit v0.11.2
Reference in New Issue View Git Blame Copy Permalink