Bug 140185 - [patch] expand_number(3) does not detect overflow in numeric part
Summary: [patch] expand_number(3) does not detect overflow in numeric part
Status: Open
Alias: None
Product: Base System
Classification: Unclassified
Component: kern (show other bugs)
Version: 7.2-STABLE
Hardware: Any Any
: Normal Affects Only Me
Assignee: freebsd-bugs mailing list
Depends on:
Reported: 2009-11-02 00:30 UTC by Mikko Työläjärvi
Modified: 2018-01-03 05:13 UTC (History)
0 users

See Also:

file.diff (492 bytes, patch)
2009-11-02 00:30 UTC, Mikko Työläjärvi
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Mikko Työläjärvi 2009-11-02 00:30:01 UTC
The expand_number() function will silently truncate the numeric part
to the size of a maxint_t and if there is no suffix, no error is returned.
Overflow in strings that include a suffix is detected (e.g. "8E")

The patch is against -CURRENT.

Fix: Check return value and errno from strtoimax().  Patch attached.

Patch attached with submission follows:
How-To-Repeat: Compile and run this program with no arguments.  It should print "ok".

#include <sys/types.h>
#include <errno.h>
#include <stdio.h>
#include <libutil.h>
#include <inttypes.h>

main(int argc, const char *argv[])
    int64_t num = 0;
    const char *s;
    int rc;

    s = (argc > 1) ? argv[1] : "9223372036854775808";  /* 2^63 */
    rc = expand_number(s, &num);
    if (rc < 0 && errno == ERANGE) {
	return 0;
    printf("nope. rc = %d, num = %lld\n", rc, num);
    return 1;
Comment 1 Eitan Adler freebsd_committer freebsd_triage 2017-12-31 07:59:28 UTC
For bugs matching the following criteria:

Status: In Progress Changed: (is less than) 2014-06-01

Reset to default assignee and clear in-progress tags.

Mail being skipped