From e059b3b197ce7da33b8b0b3529af65fb85b25186 Mon Sep 17 00:00:00 2001 From: Cody Peter Mello Date: Fri, 14 Sep 2018 19:56:34 -0700 Subject: [PATCH] Protect against overflowing during OFMT/CONVFMT conversions --- bugs-fixed/README | 4 ++++ bugs-fixed/fmt-overflow.awk | 1 + bugs-fixed/fmt-overflow.ok | 1 + tran.c | 6 +++--- 4 files changed, 9 insertions(+), 3 deletions(-) create mode 100644 bugs-fixed/fmt-overflow.awk create mode 100644 bugs-fixed/fmt-overflow.ok diff --git a/bugs-fixed/README b/bugs-fixed/README index 222ef68..7c18979 100644 --- a/bugs-fixed/README +++ b/bugs-fixed/README @@ -23,3 +23,7 @@ and also if CONVFMT changed. 7. unary-plus: Unary plus on a string constant returned the string. Instead, it should convert the value to numeric and give that value. + +X. fmt-overflow: The buffer used for OFMT/CONVFMT conversions was written +to with sprintf(), which meant that some conversions could write past the +end. diff --git a/bugs-fixed/fmt-overflow.awk b/bugs-fixed/fmt-overflow.awk new file mode 100644 index 0000000..bf5877e --- /dev/null +++ b/bugs-fixed/fmt-overflow.awk @@ -0,0 +1 @@ +BEGIN { OFMT = "%.1000f"; print 1.25; } diff --git a/bugs-fixed/fmt-overflow.ok b/bugs-fixed/fmt-overflow.ok new file mode 100644 index 0000000..5f7449e --- /dev/null +++ b/bugs-fixed/fmt-overflow.ok @@ -0,0 +1 @@ +1.2500000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 diff --git a/tran.c b/tran.c index 72ca6ff..6775b01 100644 --- a/tran.c +++ b/tran.c @@ -395,7 +395,7 @@ Awkfloat getfval(Cell *vp) /* get float val of a Cell */ static char *get_str_val(Cell *vp, char **fmt) /* get string val of a Cell */ { - char s[100]; /* BUG: unchecked */ + char s[256]; double dtemp; if ((vp->tval & (NUM | STR)) == 0) @@ -434,9 +434,9 @@ static char *get_str_val(Cell *vp, char **fmt) /* get string val of a Cel if (freeable(vp)) \ xfree(vp->sval); \ if (modf(vp->fval, &dtemp) == 0) /* it's integral */ \ - sprintf(s, "%.30g", vp->fval); \ + snprintf(s, sizeof (s), "%.30g", vp->fval); \ else \ - sprintf(s, *fmt, vp->fval); \ + snprintf(s, sizeof (s), *fmt, vp->fval); \ vp->sval = tostring(s); \ vp->tval &= ~DONTFREE; \ vp->tval |= STR; \