diff --git a/src/stdio/vfprintf.c b/src/stdio/vfprintf.c index 2ecf769..c123ade 100644 --- a/src/stdio/vfprintf.c +++ b/src/stdio/vfprintf.c @@ -437,8 +437,11 @@ static int fmt_fp(FILE *f, long double y, int w, int p, int fl, int t) static int getint(char **s) { int i; - for (i=0; isdigit(**s); (*s)++) + for (i=0; isdigit(**s); (*s)++) { + if (i > INT_MAX/10 || **s-'0' > INT_MAX-10*i) + return -1; i = 10*i + (**s-'0'); + } return i; } @@ -498,9 +501,10 @@ static int printf_core(FILE *f, const char *fmt, va_list *ap, union arg *nl_arg, } else if (!l10n) { w = f ? va_arg(*ap, int) : 0; s++; - } else return -1; + } else goto inval; + if (w==INT_MIN) goto overflow; if (w<0) fl|=LEFT_ADJ, w=-w; - } else if ((w=getint(&s))<0) return -1; + } else if ((w=getint(&s))<0) goto overflow; /* Read precision */ if (*s=='.' && s[1]=='*') { @@ -511,7 +515,7 @@ static int printf_core(FILE *f, const char *fmt, va_list *ap, union arg *nl_arg, } else if (!l10n) { p = f ? va_arg(*ap, int) : 0; s+=2; - } else return -1; + } else goto inval; } else if (*s=='.') { s++; p = getint(&s); @@ -520,15 +524,15 @@ static int printf_core(FILE *f, const char *fmt, va_list *ap, union arg *nl_arg, /* Format specifier state machine */ st=0; do { - if (OOB(*s)) return -1; + if (OOB(*s)) goto inval; ps=st; st=states[st]S(*s++); } while (st-1=0) return -1; + if (argpos>=0) goto inval; } else { if (argpos>=0) nl_type[argpos]=st, arg=nl_arg[argpos]; else if (f) pop_arg(&arg, st, ap); @@ -646,8 +650,15 @@ static int printf_core(FILE *f, const char *fmt, va_list *ap, union arg *nl_arg, for (i=1; i<=NL_ARGMAX && nl_type[i]; i++) pop_arg(nl_arg+i, nl_type[i], ap); for (; i<=NL_ARGMAX && !nl_type[i]; i++); - if (i<=NL_ARGMAX) return -1; + if (i<=NL_ARGMAX) goto inval; return 1; + +inval: + errno = EINVAL; + return -1; +overflow: + errno = EOVERFLOW; + return -1; } int vfprintf(FILE *restrict f, const char *restrict fmt, va_list ap)