summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorPhilip Guenther <guenther@cvs.openbsd.org>2017-09-20 05:08:12 +0000
committerPhilip Guenther <guenther@cvs.openbsd.org>2017-09-20 05:08:12 +0000
commitd0bf1c3ef98173fa7955b25bb4e21d5aec31dad9 (patch)
tree351d6d73c0dc8a031752ca84d01aa476eb329bed
parent084a6fee5f620b4a15a4e6196ebabd9939016ce5 (diff)
Avoid overflow/truncation during string->integer converion by eliminating
the 'int' temporary variable. problem reported by Jacob Zimmermann (jacobz (at) senseofsecurity.com.au) ok deraadt@
-rw-r--r--usr.sbin/lpr/lpd/printjob.c22
1 files changed, 9 insertions, 13 deletions
diff --git a/usr.sbin/lpr/lpd/printjob.c b/usr.sbin/lpr/lpd/printjob.c
index 1e7b2471e97..280e1850aa9 100644
--- a/usr.sbin/lpr/lpd/printjob.c
+++ b/usr.sbin/lpr/lpd/printjob.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: printjob.c,v 1.58 2016/11/22 16:03:57 millert Exp $ */
+/* $OpenBSD: printjob.c,v 1.59 2017/09/20 05:08:11 guenther Exp $ */
/* $NetBSD: printjob.c,v 1.31 2002/01/21 14:42:30 wiz Exp $ */
/*
@@ -417,15 +417,13 @@ printit(char *file)
case 'S':
cp = line+1;
- i = 0;
+ fdev = 0;
while (*cp >= '0' && *cp <= '9')
- i = i * 10 + (*cp++ - '0');
- fdev = i;
+ fdev = fdev * 10 + (*cp++ - '0');
cp++;
- i = 0;
+ fino = 0;
while (*cp >= '0' && *cp <= '9')
- i = i * 10 + (*cp++ - '0');
- fino = i;
+ fino = fino * 10 + (*cp++ - '0');
continue;
case 'J':
@@ -826,15 +824,13 @@ sendit(char *file)
again:
if (line[0] == 'S') {
cp = line+1;
- i = 0;
+ fdev = 0;
while (*cp >= '0' && *cp <= '9')
- i = i * 10 + (*cp++ - '0');
- fdev = i;
+ fdev = fdev * 10 + (*cp++ - '0');
cp++;
- i = 0;
+ fino = 0;
while (*cp >= '0' && *cp <= '9')
- i = i * 10 + (*cp++ - '0');
- fino = i;
+ fino = fino * 10 + (*cp++ - '0');
continue;
}
if (line[0] >= 'a' && line[0] <= 'z') {