File curl-7.37-CVE-2016-9586.patch of Package curl.openSUSE_Leap_42.3_Update
From 18562547930ad546c1b2bad184926548047d2b5f Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Tue, 8 Nov 2016 15:32:37 +0100
Subject: [PATCH v2] printf: fix floating point buffer overflow issues
... and add a bunch of floating point printf tests
---
lib/mprintf.c | 20 +++++++-
tests/data/test557 | 1 +
tests/libtest/lib557.c | 136 +++++++++++++++++++++++++++++++++++++++++++++++--
3 files changed, 152 insertions(+), 5 deletions(-)
diff --git a/lib/mprintf.c b/lib/mprintf.c
index e1ad537f6..e3a690bb3 100644
--- a/lib/mprintf.c
+++ b/lib/mprintf.c
@@ -90,11 +90,12 @@
#else
# define mp_intmax_t long
# define mp_uintmax_t unsigned long
#endif
-#define BUFFSIZE 256 /* buffer for long-to-str and float-to-str calcs */
+#define BUFFSIZE 326 /* buffer for long-to-str and float-to-str calcs, should
+ fit negative DBL_MAX (317 letters) */
#define MAX_PARAMETERS 128 /* lame static limit */
#ifdef __AMIGA__
# undef FORMAT_INT
#endif
@@ -914,16 +915,29 @@ static int dprintf_formatf(
*fptr++ = '#';
*fptr = 0;
if(width >= 0) {
+ if(width >= (long)sizeof(work))
+ width = sizeof(work)-1;
/* RECURSIVE USAGE */
len = curl_msnprintf(fptr, left, "%ld", width);
fptr += len;
left -= len;
}
if(prec >= 0) {
+ /* for each digit in the integer part, we can have one less
+ precision */
+ size_t maxprec = sizeof(work) - 2;
+ double val = p->data.dnum;
+ while(val >= 10.0) {
+ val /= 10;
+ maxprec--;
+ }
+
+ if(prec > (long)maxprec)
+ prec = maxprec-1;
/* RECURSIVE USAGE */
len = curl_msnprintf(fptr, left, ".%ld", prec);
fptr += len;
}
if(p->flags & FLAGS_LONG)
@@ -939,11 +953,13 @@ static int dprintf_formatf(
*fptr = 0; /* and a final zero termination */
/* NOTE NOTE NOTE!! Not all sprintf implementations return number of
output characters */
(sprintf)(work, formatbuf, p->data.dnum);
-
+#ifdef CURLDEBUG
+ assert(strlen(work) <= sizeof(work));
+#endif
for(fptr=work; *fptr; fptr++)
OUTCHAR(*fptr);
}
break;
