Hello,
Attached is a patch is to fix a bug in bc_num_ulong() where overflow was
not being detected correctly.
Gavin Howard
From ef5bafdc4d5256348c573614bcdf9b3469d0cbf2 Mon Sep 17 00:00:00 2001
From: Gavin Howard <yzena.t...@gmail.com>
Date: Sat, 16 Mar 2019 14:52:19 -0600
Subject: [PATCH] bc: fix an overflow bug in bc_num_ulong()
---
toys/pending/bc.c | 15 ++++++++-------
1 file changed, 8 insertions(+), 7 deletions(-)
diff --git a/toys/pending/bc.c b/toys/pending/bc.c
index 614cae70..142c0ce2 100644
--- a/toys/pending/bc.c
+++ b/toys/pending/bc.c
@@ -2120,21 +2120,22 @@ BcStatus bc_num_parse(BcNum *n, char *val,
BcStatus bc_num_ulong(BcNum *n, unsigned long *result) {
size_t i;
- unsigned long pow, r;
+ unsigned long r;
*result = 0;
if (n->neg) return bc_vm_err(BC_ERROR_MATH_NEGATIVE);
- for (r = 0, pow = 1, i = n->rdx; i < n->len; ++i) {
+ for (r = 0, i = n->len; i > n->rdx;) {
- unsigned long prev = r, powprev = pow;
+ unsigned long prev = r * 10;
- r += ((unsigned long) n->num[i]) * pow;
- pow *= 10;
+ if (prev == SIZE_MAX || prev / 10 != r)
+ return bc_vm_err(BC_ERROR_MATH_OVERFLOW);
- if (r < prev || pow < powprev)
- return bc_vm_verr(BC_ERROR_MATH_OVERFLOW, "number cannot fit");
+ r = prev + ((uchar) n->num[--i]);
+
+ if (r == SIZE_MAX || r < prev) return bc_vm_err(BC_ERROR_MATH_OVERFLOW);
}
*result = r;
--
2.17.1
_______________________________________________
Toybox mailing list
Toybox@lists.landley.net
http://lists.landley.net/listinfo.cgi/toybox-landley.net
