Bug 140185
| Summary: | [patch] expand_number(3) does not detect overflow in numeric part | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Base System | Reporter: | Mikko Työläjärvi <mikko.tyolajarvi> | ||||
| Component: | kern | Assignee: | freebsd-bugs (Nobody) <bugs> | ||||
| Status: | Open --- | ||||||
| Severity: | Affects Only Me | Keywords: | patch | ||||
| Priority: | Normal | ||||||
| Version: | 7.2-STABLE | ||||||
| Hardware: | Any | ||||||
| OS: | Any | ||||||
| Attachments: |
|
||||||
For bugs matching the following criteria: Status: In Progress Changed: (is less than) 2014-06-01 Reset to default assignee and clear in-progress tags. Mail being skipped Keyword:
patch
or patch-ready
– in lieu of summary line prefix:
[patch]
* bulk change for the keyword
* summary lines may be edited manually (not in bulk).
Keyword descriptions and search interface:
<https://bugs.freebsd.org/bugzilla/describekeywords.cgi>
|
The expand_number() function will silently truncate the numeric part to the size of a maxint_t and if there is no suffix, no error is returned. Overflow in strings that include a suffix is detected (e.g. "8E") The patch is against -CURRENT. Fix: Check return value and errno from strtoimax(). Patch attached. Patch attached with submission follows: How-To-Repeat: Compile and run this program with no arguments. It should print "ok". #include <sys/types.h> #include <errno.h> #include <stdio.h> #include <libutil.h> #include <inttypes.h> int main(int argc, const char *argv[]) { int64_t num = 0; const char *s; int rc; s = (argc > 1) ? argv[1] : "9223372036854775808"; /* 2^63 */ rc = expand_number(s, &num); if (rc < 0 && errno == ERANGE) { printf("ok\n"); return 0; } printf("nope. rc = %d, num = %lld\n", rc, num); return 1; }