From 625976d7931006bae7e960e561ecdaccb0cb6a28 Mon Sep 17 00:00:00 2001 From: "Yukihiro \"Matz\" Matsumoto" Date: Fri, 7 Sep 2018 03:16:44 +0900 Subject: Fix integer overflow issue; fix #4108 I misunderstood the return value from `snprintf()`, which is NOT number of characters written in buffer, but the number of character the buffer has to have to write the complete output. --- mrbgems/mruby-sprintf/src/sprintf.c | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/mrbgems/mruby-sprintf/src/sprintf.c b/mrbgems/mruby-sprintf/src/sprintf.c index 738c5485f..ea127c574 100644 --- a/mrbgems/mruby-sprintf/src/sprintf.c +++ b/mrbgems/mruby-sprintf/src/sprintf.c @@ -1057,17 +1057,21 @@ retry: need = BIT_DIGITS(i); } need += (flags&FPREC) ? prec : 6; + if (need < 0) { + too_big_width: + mrb_raise(mrb, E_ARGUMENT_ERROR, + (width > prec ? "width too big" : "prec too big")); + } if ((flags&FWIDTH) && need < width) need = width; need += 20; if (need <= 0) { - mrb_raise(mrb, E_ARGUMENT_ERROR, - (width > prec ? "width too big" : "prec too big")); + goto too_big_width; } CHECK(need); n = snprintf(&buf[blen], need, fbuf, fval); - if (n < 0) { + if (n < 0 || n >= need) { mrb_raise(mrb, E_RUNTIME_ERROR, "formatting error"); } blen += n; -- cgit v1.2.3