details: https://hg.nginx.org/njs/rev/e2c6451435a0 branches: changeset: 2259:e2c6451435a0 user: Dmitry Volyntsev <xei...@nginx.com> date: Mon Jan 08 22:19:59 2024 -0800 description: Avoiding pointer wraparound for padded integer specifier.
Previously, when integer was larger than the padded width in a integer specifier, the "end" pointer was evaluated to a value before "buf" pointer. Found by UndefinedBehaviorSanitizer. diffstat: src/njs_sprintf.c | 9 ++++----- 1 files changed, 4 insertions(+), 5 deletions(-) diffs (28 lines): diff -r 0490f1ae4cf5 -r e2c6451435a0 src/njs_sprintf.c --- a/src/njs_sprintf.c Sun Jul 30 10:21:51 2023 +0100 +++ b/src/njs_sprintf.c Mon Jan 08 22:19:59 2024 -0800 @@ -522,12 +522,12 @@ njs_integer(njs_sprintf_t *spf, u_char * } while (ui64 != 0); } + length = (temp + NJS_INT64_T_LEN) - p; + /* Zero or space padding. */ - if (spf->width != 0) { - - length = (temp + NJS_INT64_T_LEN) - p; - end = buf + (spf->width - length); + if (length < spf->width) { + end = buf + spf->width - length; end = njs_min(end, spf->end); while (buf < end) { @@ -537,7 +537,6 @@ njs_integer(njs_sprintf_t *spf, u_char * /* Number copying. */ - length = (temp + NJS_INT64_T_LEN) - p; end = buf + length; end = njs_min(end, spf->end); _______________________________________________ nginx-devel mailing list nginx-devel@nginx.org https://mailman.nginx.org/mailman/listinfo/nginx-devel