diff options
| author | Philip Guenther <guenther@cvs.openbsd.org> | 2017-09-20 05:08:12 +0000 |
|---|---|---|
| committer | Philip Guenther <guenther@cvs.openbsd.org> | 2017-09-20 05:08:12 +0000 |
| commit | d0bf1c3ef98173fa7955b25bb4e21d5aec31dad9 (patch) | |
| tree | 351d6d73c0dc8a031752ca84d01aa476eb329bed /usr.sbin/lpr | |
| parent | 084a6fee5f620b4a15a4e6196ebabd9939016ce5 (diff) | |
Avoid overflow/truncation during string->integer converion by eliminating
the 'int' temporary variable.
problem reported by Jacob Zimmermann (jacobz (at) senseofsecurity.com.au)
ok deraadt@
Diffstat (limited to 'usr.sbin/lpr')
| -rw-r--r-- | usr.sbin/lpr/lpd/printjob.c | 22 |
1 files changed, 9 insertions, 13 deletions
diff --git a/usr.sbin/lpr/lpd/printjob.c b/usr.sbin/lpr/lpd/printjob.c index 1e7b2471e97..280e1850aa9 100644 --- a/usr.sbin/lpr/lpd/printjob.c +++ b/usr.sbin/lpr/lpd/printjob.c @@ -1,4 +1,4 @@ -/* $OpenBSD: printjob.c,v 1.58 2016/11/22 16:03:57 millert Exp $ */ +/* $OpenBSD: printjob.c,v 1.59 2017/09/20 05:08:11 guenther Exp $ */ /* $NetBSD: printjob.c,v 1.31 2002/01/21 14:42:30 wiz Exp $ */ /* @@ -417,15 +417,13 @@ printit(char *file) case 'S': cp = line+1; - i = 0; + fdev = 0; while (*cp >= '0' && *cp <= '9') - i = i * 10 + (*cp++ - '0'); - fdev = i; + fdev = fdev * 10 + (*cp++ - '0'); cp++; - i = 0; + fino = 0; while (*cp >= '0' && *cp <= '9') - i = i * 10 + (*cp++ - '0'); - fino = i; + fino = fino * 10 + (*cp++ - '0'); continue; case 'J': @@ -826,15 +824,13 @@ sendit(char *file) again: if (line[0] == 'S') { cp = line+1; - i = 0; + fdev = 0; while (*cp >= '0' && *cp <= '9') - i = i * 10 + (*cp++ - '0'); - fdev = i; + fdev = fdev * 10 + (*cp++ - '0'); cp++; - i = 0; + fino = 0; while (*cp >= '0' && *cp <= '9') - i = i * 10 + (*cp++ - '0'); - fino = i; + fino = fino * 10 + (*cp++ - '0'); continue; } if (line[0] >= 'a' && line[0] <= 'z') { |