From 82e40d211902d486d2871a1bc691d1768927efd5 Mon Sep 17 00:00:00 2001 From: Theo de Raadt Date: Sat, 18 Apr 2015 18:28:39 +0000 Subject: Convert many atoi() calls to strtonum(), adding range checks and failure handling along the way. Reviews by Brendan MacDonell, Jeremy Devenport, florian, doug, millert --- usr.bin/calendar/calendar.c | 12 +++++++++--- usr.bin/calendar/io.c | 12 ++++++++---- 2 files changed, 17 insertions(+), 7 deletions(-) (limited to 'usr.bin/calendar') diff --git a/usr.bin/calendar/calendar.c b/usr.bin/calendar/calendar.c index 85c28be895d..fcab233ec86 100644 --- a/usr.bin/calendar/calendar.c +++ b/usr.bin/calendar/calendar.c @@ -1,4 +1,4 @@ -/* $OpenBSD: calendar.c,v 1.30 2015/03/15 00:41:28 millert Exp $ */ +/* $OpenBSD: calendar.c,v 1.31 2015/04/18 18:28:37 deraadt Exp $ */ /* * Copyright (c) 1989, 1993, 1994 @@ -41,6 +41,7 @@ #include #include #include +#include #include #include @@ -68,6 +69,7 @@ int main(int argc, char *argv[]) { int ch; + const char *errstr; char *caldir; (void)setlocale(LC_ALL, ""); @@ -95,12 +97,16 @@ main(int argc, char *argv[]) break; case 'A': /* days after current date */ - f_dayAfter = atoi(optarg); + f_dayAfter = strtonum(optarg, 0, INT_MAX, &errstr); + if (errstr) + errx(1, "-A %s: %s", optarg, errstr); f_SetdayAfter = 1; break; case 'B': /* days before current date */ - f_dayBefore = atoi(optarg); + f_dayBefore = strtonum(optarg, 0, INT_MAX, &errstr); + if (errstr) + errx(1, "-B %s: %s", optarg, errstr); break; default: diff --git a/usr.bin/calendar/io.c b/usr.bin/calendar/io.c index d0a5e5847be..1e1950b2d30 100644 --- a/usr.bin/calendar/io.c +++ b/usr.bin/calendar/io.c @@ -1,4 +1,4 @@ -/* $OpenBSD: io.c,v 1.38 2015/03/15 00:41:28 millert Exp $ */ +/* $OpenBSD: io.c,v 1.39 2015/04/18 18:28:37 deraadt Exp $ */ /* * Copyright (c) 1989, 1993, 1994 @@ -281,12 +281,16 @@ getfield(char *p, char **endp, int *flags) } } if (i > NUMEV) { - switch(*start) { + const char *errstr; + + switch (*start) { case '-': case '+': - var = atoi(start); - if (var > 365 || var < -365) + var = strtonum(start + 1, 0, 365, &errstr); + if (errstr) return (0); /* Someone is just being silly */ + if (*start == '-') + var = -var; val += (NUMEV + 1) * var; /* We add one to the matching event and multiply by * (NUMEV + 1) so as not to return 0 if there's a match. -- cgit v1.2.3