summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorDamien Miller <djm@cvs.openbsd.org>2017-03-11 23:37:24 +0000
committerDamien Miller <djm@cvs.openbsd.org>2017-03-11 23:37:24 +0000
commite6964c7cdf8f4b9eed72bd4e4f07dc0b25455be4 (patch)
treee50b9f5546298f4918b538eedb4b700bff06ece7
parent4873d6ea8c9c0dc610041a54190ee4edb96202c4 (diff)
fix signed integer overflow in scan_scaled. Found by Nicolas Iooss
using AFL against ssh_config. ok deraadt@ millert@
Diffstat
-rw-r--r--lib/libutil/fmt_scaled.c15
1 files changed, 14 insertions, 1 deletions
diff --git a/lib/libutil/fmt_scaled.c b/lib/libutil/fmt_scaled.c
index eecbde7a68f..bbeb01fdd0e 100644
--- a/lib/libutil/fmt_scaled.c
+++ b/lib/libutil/fmt_scaled.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: fmt_scaled.c,v 1.12 2013/11/29 19:00:51 deraadt Exp $ */
+/* $OpenBSD: fmt_scaled.c,v 1.13 2017/03/11 23:37:23 djm Exp $ */
/*
* Copyright (c) 2001, 2002, 2003 Ian F. Darwin. All rights reserved.
@@ -121,6 +121,10 @@ scan_scaled(char *scaled, long long *result)
/* ignore extra fractional digits */
continue;
fract_digits++; /* for later scaling */
+ if (fpart >= LLONG_MAX / 10) {
+ errno = ERANGE;
+ return -1;
+ }
fpart *= 10;
fpart += i;
} else { /* normal digit */
@@ -128,6 +132,10 @@ scan_scaled(char *scaled, long long *result)
errno = ERANGE;
return -1;
}
+ if (whole >= LLONG_MAX / 10) {
+ errno = ERANGE;
+ return -1;
+ }
whole *= 10;
whole += i;
}
@@ -158,6 +166,11 @@ scan_scaled(char *scaled, long long *result)
}
scale_fact = scale_factors[i];
+ if (whole >= LLONG_MAX / scale_fact) {
+ errno = ERANGE;
+ return -1;
+ }
+
/* scale whole part */
whole *= scale_fact;
generated by cgit v1.2.3 (git 2.25.1) at 2024-11-26 20:27:16 +0000