diff options
Diffstat (limited to 'main/musl/0017-fix-integer-overflows-and-uncaught-EOVERFLOW-in-prin.patch')
-rw-r--r-- | main/musl/0017-fix-integer-overflows-and-uncaught-EOVERFLOW-in-prin.patch | 392 |
1 files changed, 392 insertions, 0 deletions
diff --git a/main/musl/0017-fix-integer-overflows-and-uncaught-EOVERFLOW-in-prin.patch b/main/musl/0017-fix-integer-overflows-and-uncaught-EOVERFLOW-in-prin.patch new file mode 100644 index 000000000..c8fb63f1d --- /dev/null +++ b/main/musl/0017-fix-integer-overflows-and-uncaught-EOVERFLOW-in-prin.patch @@ -0,0 +1,392 @@ +From 167dfe9672c116b315e72e57a55c7769f180dffa Mon Sep 17 00:00:00 2001 +From: Rich Felker <dalias@aerifal.cx> +Date: Thu, 20 Oct 2016 00:22:09 -0400 +Subject: [PATCH 17/18] fix integer overflows and uncaught EOVERFLOW in printf + core + +this patch fixes a large number of missed internal signed-overflow +checks and errors in determining when the return value (output length) +would exceed INT_MAX, which should result in EOVERFLOW. some of the +issues fixed were reported by Alexander Cherepanov; others were found +in subsequent review of the code. + +aside from the signed overflows being undefined behavior, the +following specific bugs were found to exist in practice: + +- overflows computing length of floating point formats with huge + explicit precisions, integer formats with prefix characters and huge + explicit precisions, or string arguments or format strings longer + than INT_MAX, resulted in wrong return value and wrong %n results. + +- literal width and precision values outside the range of int were + misinterpreted, yielding wrong behavior in at least one well-defined + case: string formats with precision greater than INT_MAX were + sometimes truncated. + +- in cases where EOVERFLOW is produced, incorrect values could be + written for %n specifiers past the point of exceeding INT_MAX. + +in addition to fixing these bugs, we now stop producing output +immediately when output length would exceed INT_MAX, rather than +continuing and returning an error only at the end. +--- + src/stdio/vfprintf.c | 72 +++++++++++++++++++++++++++++++++++---------------- + src/stdio/vfwprintf.c | 63 +++++++++++++++++++++++++++----------------- + 2 files changed, 89 insertions(+), 46 deletions(-) + +diff --git a/src/stdio/vfprintf.c b/src/stdio/vfprintf.c +index cd17ad7..e2ab2dc 100644 +--- a/src/stdio/vfprintf.c ++++ b/src/stdio/vfprintf.c +@@ -272,6 +272,8 @@ static int fmt_fp(FILE *f, long double y, int w, int p, int fl, int t) + if (s-buf==1 && (y||p>0||(fl&ALT_FORM))) *s++='.'; + } while (y); + ++ if (p > INT_MAX-2-(ebuf-estr)-pl) ++ return -1; + if (p && s-buf-2 < p) + l = (p+2) + (ebuf-estr); + else +@@ -383,17 +385,22 @@ static int fmt_fp(FILE *f, long double y, int w, int p, int fl, int t) + p = MIN(p,MAX(0,9*(z-r-1)+e-j)); + } + } ++ if (p > INT_MAX-1-(p || (fl&ALT_FORM))) ++ return -1; + l = 1 + p + (p || (fl&ALT_FORM)); + if ((t|32)=='f') { ++ if (e > INT_MAX-l) return -1; + if (e>0) l+=e; + } else { + estr=fmt_u(e<0 ? -e : e, ebuf); + while(ebuf-estr<2) *--estr='0'; + *--estr = (e<0 ? '-' : '+'); + *--estr = t; ++ if (ebuf-estr > INT_MAX-l) return -1; + l += ebuf-estr; + } + ++ if (l > INT_MAX-pl) return -1; + pad(f, ' ', w, pl+l, fl); + out(f, prefix, pl); + pad(f, '0', w, pl+l, fl^ZERO_PAD); +@@ -437,8 +444,10 @@ static int fmt_fp(FILE *f, long double y, int w, int p, int fl, int t) + + static int getint(char **s) { + int i; +- for (i=0; isdigit(**s); (*s)++) +- i = 10*i + (**s-'0'); ++ for (i=0; isdigit(**s); (*s)++) { ++ if (i > INT_MAX/10U || **s-'0' > INT_MAX-10*i) i = -1; ++ else i = 10*i + (**s-'0'); ++ } + return i; + } + +@@ -446,12 +455,12 @@ static int printf_core(FILE *f, const char *fmt, va_list *ap, union arg *nl_arg, + { + char *a, *z, *s=(char *)fmt; + unsigned l10n=0, fl; +- int w, p; ++ int w, p, xp; + union arg arg; + int argpos; + unsigned st, ps; + int cnt=0, l=0; +- int i; ++ size_t i; + char buf[sizeof(uintmax_t)*3+3+LDBL_MANT_DIG/4]; + const char *prefix; + int t, pl; +@@ -459,18 +468,19 @@ static int printf_core(FILE *f, const char *fmt, va_list *ap, union arg *nl_arg, + char mb[4]; + + for (;;) { ++ /* This error is only specified for snprintf, but since it's ++ * unspecified for other forms, do the same. Stop immediately ++ * on overflow; otherwise %n could produce wrong results. */ ++ if (l > INT_MAX - cnt) goto overflow; ++ + /* Update output count, end loop when fmt is exhausted */ +- if (cnt >= 0) { +- if (l > INT_MAX - cnt) { +- errno = EOVERFLOW; +- cnt = -1; +- } else cnt += l; +- } ++ cnt += l; + if (!*s) break; + + /* Handle literal text and %% format specifiers */ + for (a=s; *s && *s!='%'; s++); + for (z=s; s[0]=='%' && s[1]=='%'; z++, s+=2); ++ if (z-a > INT_MAX-cnt) goto overflow; + l = z-a; + if (f) out(f, a, l); + if (l) continue; +@@ -498,9 +508,9 @@ static int printf_core(FILE *f, const char *fmt, va_list *ap, union arg *nl_arg, + } else if (!l10n) { + w = f ? va_arg(*ap, int) : 0; + s++; +- } else return -1; ++ } else goto inval; + if (w<0) fl|=LEFT_ADJ, w=-w; +- } else if ((w=getint(&s))<0) return -1; ++ } else if ((w=getint(&s))<0) goto overflow; + + /* Read precision */ + if (*s=='.' && s[1]=='*') { +@@ -511,24 +521,29 @@ static int printf_core(FILE *f, const char *fmt, va_list *ap, union arg *nl_arg, + } else if (!l10n) { + p = f ? va_arg(*ap, int) : 0; + s+=2; +- } else return -1; ++ } else goto inval; ++ xp = (p>=0); + } else if (*s=='.') { + s++; + p = getint(&s); +- } else p = -1; ++ xp = 1; ++ } else { ++ p = -1; ++ xp = 0; ++ } + + /* Format specifier state machine */ + st=0; + do { +- if (OOB(*s)) return -1; ++ if (OOB(*s)) goto inval; + ps=st; + st=states[st]S(*s++); + } while (st-1<STOP); +- if (!st) return -1; ++ if (!st) goto inval; + + /* Check validity of argument type (nl/normal) */ + if (st==NOARG) { +- if (argpos>=0) return -1; ++ if (argpos>=0) goto inval; + } else { + if (argpos>=0) nl_type[argpos]=st, arg=nl_arg[argpos]; + else if (f) pop_arg(&arg, st, ap); +@@ -584,6 +599,7 @@ static int printf_core(FILE *f, const char *fmt, va_list *ap, union arg *nl_arg, + case 'u': + a = fmt_u(arg.i, z); + } ++ if (xp && p<0) goto overflow; + if (p>=0) fl &= ~ZERO_PAD; + if (!arg.i && !p) { + a=z; +@@ -599,9 +615,9 @@ static int printf_core(FILE *f, const char *fmt, va_list *ap, union arg *nl_arg, + if (1) a = strerror(errno); else + case 's': + a = arg.p ? arg.p : "(null)"; +- z = memchr(a, 0, p); +- if (!z) z=a+p; +- else p=z-a; ++ z = a + strnlen(a, p<0 ? INT_MAX : p); ++ if (p<0 && *z) goto overflow; ++ p = z-a; + fl &= ~ZERO_PAD; + break; + case 'C': +@@ -611,8 +627,9 @@ static int printf_core(FILE *f, const char *fmt, va_list *ap, union arg *nl_arg, + p = -1; + case 'S': + ws = arg.p; +- for (i=l=0; i<0U+p && *ws && (l=wctomb(mb, *ws++))>=0 && l<=0U+p-i; i+=l); ++ for (i=l=0; i<p && *ws && (l=wctomb(mb, *ws++))>=0 && l<=p-i; i+=l); + if (l<0) return -1; ++ if (i > INT_MAX) goto overflow; + p = i; + pad(f, ' ', w, p, fl); + ws = arg.p; +@@ -623,12 +640,16 @@ static int printf_core(FILE *f, const char *fmt, va_list *ap, union arg *nl_arg, + continue; + case 'e': case 'f': case 'g': case 'a': + case 'E': case 'F': case 'G': case 'A': ++ if (xp && p<0) goto overflow; + l = fmt_fp(f, arg.f, w, p, fl, t); ++ if (l<0) goto overflow; + continue; + } + + if (p < z-a) p = z-a; ++ if (p > INT_MAX-pl) goto overflow; + if (w < pl+p) w = pl+p; ++ if (w > INT_MAX-cnt) goto overflow; + + pad(f, ' ', w, pl+p, fl); + out(f, prefix, pl); +@@ -646,8 +667,15 @@ static int printf_core(FILE *f, const char *fmt, va_list *ap, union arg *nl_arg, + for (i=1; i<=NL_ARGMAX && nl_type[i]; i++) + pop_arg(nl_arg+i, nl_type[i], ap); + for (; i<=NL_ARGMAX && !nl_type[i]; i++); +- if (i<=NL_ARGMAX) return -1; ++ if (i<=NL_ARGMAX) goto inval; + return 1; ++ ++inval: ++ errno = EINVAL; ++ return -1; ++overflow: ++ errno = EOVERFLOW; ++ return -1; + } + + int vfprintf(FILE *restrict f, const char *restrict fmt, va_list ap) +diff --git a/src/stdio/vfwprintf.c b/src/stdio/vfwprintf.c +index f9f1ecf..b8fff20 100644 +--- a/src/stdio/vfwprintf.c ++++ b/src/stdio/vfwprintf.c +@@ -154,8 +154,10 @@ static void out(FILE *f, const wchar_t *s, size_t l) + + static int getint(wchar_t **s) { + int i; +- for (i=0; iswdigit(**s); (*s)++) +- i = 10*i + (**s-'0'); ++ for (i=0; iswdigit(**s); (*s)++) { ++ if (i > INT_MAX/10U || **s-'0' > INT_MAX-10*i) i = -1; ++ else i = 10*i + (**s-'0'); ++ } + return i; + } + +@@ -168,8 +170,8 @@ static const char sizeprefix['y'-'a'] = { + static int wprintf_core(FILE *f, const wchar_t *fmt, va_list *ap, union arg *nl_arg, int *nl_type) + { + wchar_t *a, *z, *s=(wchar_t *)fmt; +- unsigned l10n=0, litpct, fl; +- int w, p; ++ unsigned l10n=0, fl; ++ int w, p, xp; + union arg arg; + int argpos; + unsigned st, ps; +@@ -181,20 +183,19 @@ static int wprintf_core(FILE *f, const wchar_t *fmt, va_list *ap, union arg *nl_ + wchar_t wc; + + for (;;) { ++ /* This error is only specified for snprintf, but since it's ++ * unspecified for other forms, do the same. Stop immediately ++ * on overflow; otherwise %n could produce wrong results. */ ++ if (l > INT_MAX - cnt) goto overflow; ++ + /* Update output count, end loop when fmt is exhausted */ +- if (cnt >= 0) { +- if (l > INT_MAX - cnt) { +- if (!ferror(f)) errno = EOVERFLOW; +- cnt = -1; +- } else cnt += l; +- } ++ cnt += l; + if (!*s) break; + + /* Handle literal text and %% format specifiers */ + for (a=s; *s && *s!='%'; s++); +- litpct = wcsspn(s, L"%")/2; /* Optimize %%%% runs */ +- z = s+litpct; +- s += 2*litpct; ++ for (z=s; s[0]=='%' && s[1]=='%'; z++, s+=2); ++ if (z-a > INT_MAX-cnt) goto overflow; + l = z-a; + if (f) out(f, a, l); + if (l) continue; +@@ -222,9 +223,9 @@ static int wprintf_core(FILE *f, const wchar_t *fmt, va_list *ap, union arg *nl_ + } else if (!l10n) { + w = f ? va_arg(*ap, int) : 0; + s++; +- } else return -1; ++ } else goto inval; + if (w<0) fl|=LEFT_ADJ, w=-w; +- } else if ((w=getint(&s))<0) return -1; ++ } else if ((w=getint(&s))<0) goto overflow; + + /* Read precision */ + if (*s=='.' && s[1]=='*') { +@@ -235,24 +236,29 @@ static int wprintf_core(FILE *f, const wchar_t *fmt, va_list *ap, union arg *nl_ + } else if (!l10n) { + p = f ? va_arg(*ap, int) : 0; + s+=2; +- } else return -1; ++ } else goto inval; ++ xp = (p>=0); + } else if (*s=='.') { + s++; + p = getint(&s); +- } else p = -1; ++ xp = 1; ++ } else { ++ p = -1; ++ xp = 0; ++ } + + /* Format specifier state machine */ + st=0; + do { +- if (OOB(*s)) return -1; ++ if (OOB(*s)) goto inval; + ps=st; + st=states[st]S(*s++); + } while (st-1<STOP); +- if (!st) return -1; ++ if (!st) goto inval; + + /* Check validity of argument type (nl/normal) */ + if (st==NOARG) { +- if (argpos>=0) return -1; ++ if (argpos>=0) goto inval; + } else { + if (argpos>=0) nl_type[argpos]=st, arg=nl_arg[argpos]; + else if (f) pop_arg(&arg, st, ap); +@@ -285,8 +291,9 @@ static int wprintf_core(FILE *f, const wchar_t *fmt, va_list *ap, union arg *nl_ + continue; + case 'S': + a = arg.p; +- z = wmemchr(a, 0, p); +- if (z) p=z-a; ++ z = a + wcsnlen(a, p<0 ? INT_MAX : p); ++ if (p<0 && *z) goto overflow; ++ p = z-a; + if (w<p) w=p; + if (!(fl&LEFT_ADJ)) fprintf(f, "%*s", w-p, ""); + out(f, a, p); +@@ -298,9 +305,9 @@ static int wprintf_core(FILE *f, const wchar_t *fmt, va_list *ap, union arg *nl_ + case 's': + if (!arg.p) arg.p = "(null)"; + bs = arg.p; +- if (p<0) p = INT_MAX; +- for (i=l=0; l<p && (i=mbtowc(&wc, bs, MB_LEN_MAX))>0; bs+=i, l++); ++ for (i=l=0; l<(p<0?INT_MAX:p) && (i=mbtowc(&wc, bs, MB_LEN_MAX))>0; bs+=i, l++); + if (i<0) return -1; ++ if (p<0 && *bs) goto overflow; + p=l; + if (w<p) w=p; + if (!(fl&LEFT_ADJ)) fprintf(f, "%*s", w-p, ""); +@@ -315,6 +322,7 @@ static int wprintf_core(FILE *f, const wchar_t *fmt, va_list *ap, union arg *nl_ + continue; + } + ++ if (xp && p<0) goto overflow; + snprintf(charfmt, sizeof charfmt, "%%%s%s%s%s%s*.*%c%c", + "#"+!(fl & ALT_FORM), + "+"+!(fl & MARK_POS), +@@ -341,6 +349,13 @@ static int wprintf_core(FILE *f, const wchar_t *fmt, va_list *ap, union arg *nl_ + for (; i<=NL_ARGMAX && !nl_type[i]; i++); + if (i<=NL_ARGMAX) return -1; + return 1; ++ ++inval: ++ errno = EINVAL; ++ return -1; ++overflow: ++ errno = EOVERFLOW; ++ return -1; + } + + int vfwprintf(FILE *restrict f, const wchar_t *restrict fmt, va_list ap) +-- +2.10.1 + |