From e6964c7cdf8f4b9eed72bd4e4f07dc0b25455be4 Mon Sep 17 00:00:00 2001
From: Damien Miller <djm@cvs.openbsd.org>
Date: Sat, 11 Mar 2017 23:37:24 +0000
Subject: fix signed integer overflow in scan_scaled. Found by Nicolas Iooss
 using AFL against ssh_config. ok deraadt@ millert@

---
 lib/libutil/fmt_scaled.c | 15 ++++++++++++++-
 1 file changed, 14 insertions(+), 1 deletion(-)

(limited to 'lib')

diff --git a/lib/libutil/fmt_scaled.c b/lib/libutil/fmt_scaled.c
index eecbde7a68f..bbeb01fdd0e 100644
--- a/lib/libutil/fmt_scaled.c
+++ b/lib/libutil/fmt_scaled.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: fmt_scaled.c,v 1.12 2013/11/29 19:00:51 deraadt Exp $	*/
+/*	$OpenBSD: fmt_scaled.c,v 1.13 2017/03/11 23:37:23 djm Exp $	*/
 
 /*
  * Copyright (c) 2001, 2002, 2003 Ian F. Darwin.  All rights reserved.
@@ -121,6 +121,10 @@ scan_scaled(char *scaled, long long *result)
 				/* ignore extra fractional digits */
 				continue;
 			fract_digits++;		/* for later scaling */
+			if (fpart >= LLONG_MAX / 10) {
+				errno = ERANGE;
+				return -1;
+			}
 			fpart *= 10;
 			fpart += i;
 		} else {				/* normal digit */
@@ -128,6 +132,10 @@ scan_scaled(char *scaled, long long *result)
 				errno = ERANGE;
 				return -1;
 			}
+			if (whole >= LLONG_MAX / 10) {
+				errno = ERANGE;
+				return -1;
+			}
 			whole *= 10;
 			whole += i;
 		}
@@ -158,6 +166,11 @@ scan_scaled(char *scaled, long long *result)
 			}
 			scale_fact = scale_factors[i];
 
+			if (whole >= LLONG_MAX / scale_fact) {
+				errno = ERANGE;
+				return -1;
+			}
+
 			/* scale whole part */
 			whole *= scale_fact;
 
-- 
cgit v1.2.3