Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
home:Alexander_Naumov:SLE-12:Update
curl.10931
curl-7.37-CVE-2016-9586.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File curl-7.37-CVE-2016-9586.patch of Package curl.10931
From 18562547930ad546c1b2bad184926548047d2b5f Mon Sep 17 00:00:00 2001 From: Daniel Stenberg <daniel@haxx.se> Date: Tue, 8 Nov 2016 15:32:37 +0100 Subject: [PATCH v2] printf: fix floating point buffer overflow issues ... and add a bunch of floating point printf tests --- lib/mprintf.c | 20 +++++++- tests/data/test557 | 1 + tests/libtest/lib557.c | 136 +++++++++++++++++++++++++++++++++++++++++++++++-- 3 files changed, 152 insertions(+), 5 deletions(-) diff --git a/lib/mprintf.c b/lib/mprintf.c index e1ad537f6..e3a690bb3 100644 --- a/lib/mprintf.c +++ b/lib/mprintf.c @@ -90,11 +90,12 @@ #else # define mp_intmax_t long # define mp_uintmax_t unsigned long #endif -#define BUFFSIZE 256 /* buffer for long-to-str and float-to-str calcs */ +#define BUFFSIZE 326 /* buffer for long-to-str and float-to-str calcs, should + fit negative DBL_MAX (317 letters) */ #define MAX_PARAMETERS 128 /* lame static limit */ #ifdef __AMIGA__ # undef FORMAT_INT #endif @@ -914,16 +915,29 @@ static int dprintf_formatf( *fptr++ = '#'; *fptr = 0; if(width >= 0) { + if(width >= (long)sizeof(work)) + width = sizeof(work)-1; /* RECURSIVE USAGE */ len = curl_msnprintf(fptr, left, "%ld", width); fptr += len; left -= len; } if(prec >= 0) { + /* for each digit in the integer part, we can have one less + precision */ + size_t maxprec = sizeof(work) - 2; + double val = p->data.dnum; + while(val >= 10.0) { + val /= 10; + maxprec--; + } + + if(prec > (long)maxprec) + prec = maxprec-1; /* RECURSIVE USAGE */ len = curl_msnprintf(fptr, left, ".%ld", prec); fptr += len; } if(p->flags & FLAGS_LONG) @@ -939,11 +953,13 @@ static int dprintf_formatf( *fptr = 0; /* and a final zero termination */ /* NOTE NOTE NOTE!! Not all sprintf implementations return number of output characters */ (sprintf)(work, formatbuf, p->data.dnum); - +#ifdef CURLDEBUG + assert(strlen(work) <= sizeof(work)); +#endif for(fptr=work; *fptr; fptr++) OUTCHAR(*fptr); } break;
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor