File curl-7.37-CVE-2016-9586.patch of Package curl.6521

Overview Repositories Revisions Requests Users Attributes Meta

File curl-7.37-CVE-2016-9586.patch of Package curl.6521

From 18562547930ad546c1b2bad184926548047d2b5f Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Tue, 8 Nov 2016 15:32:37 +0100
Subject: [PATCH v2] printf: fix floating point buffer overflow issues

... and add a bunch of floating point printf tests
---
 lib/mprintf.c          |  20 +++++++-
 tests/data/test557     |   1 +
 tests/libtest/lib557.c | 136 +++++++++++++++++++++++++++++++++++++++++++++++--
 3 files changed, 152 insertions(+), 5 deletions(-)

diff --git a/lib/mprintf.c b/lib/mprintf.c
index e1ad537f6..e3a690bb3 100644
--- a/lib/mprintf.c
+++ b/lib/mprintf.c
@@ -90,11 +90,12 @@
 #else
 #  define mp_intmax_t long
 #  define mp_uintmax_t unsigned long
 #endif
 
-#define BUFFSIZE 256 /* buffer for long-to-str and float-to-str calcs */
+#define BUFFSIZE 326 /* buffer for long-to-str and float-to-str calcs, should
+                        fit negative DBL_MAX (317 letters) */
 #define MAX_PARAMETERS 128 /* lame static limit */
 
 #ifdef __AMIGA__
 # undef FORMAT_INT
 #endif
@@ -914,16 +915,29 @@ static int dprintf_formatf(
           *fptr++ = '#';
 
         *fptr = 0;
 
         if(width >= 0) {
+          if(width >= (long)sizeof(work))
+            width = sizeof(work)-1;
           /* RECURSIVE USAGE */
           len = curl_msnprintf(fptr, left, "%ld", width);
           fptr += len;
           left -= len;
         }
         if(prec >= 0) {
+          /* for each digit in the integer part, we can have one less
+             precision */
+          size_t maxprec = sizeof(work) - 2;
+          double val = p->data.dnum;
+          while(val >= 10.0) {
+            val /= 10;
+            maxprec--;
+          }
+
+          if(prec > (long)maxprec)
+            prec = maxprec-1;
           /* RECURSIVE USAGE */
           len = curl_msnprintf(fptr, left, ".%ld", prec);
           fptr += len;
         }
         if(p->flags & FLAGS_LONG)
@@ -939,11 +953,13 @@ static int dprintf_formatf(
         *fptr = 0; /* and a final zero termination */
 
         /* NOTE NOTE NOTE!! Not all sprintf implementations return number of
            output characters */
         (sprintf)(work, formatbuf, p->data.dnum);
-
+#ifdef CURLDEBUG
+        assert(strlen(work) <= sizeof(work));
+#endif
         for(fptr=work; *fptr; fptr++)
           OUTCHAR(*fptr);
       }
       break;

Places

File curl-7.37-CVE-2016-9586.patch of Package curl.6521

Places