[njs] Avoiding pointer wraparound for padded integer specifier.

Dmitry Volyntsev xeioex at nginx.com
Tue Jan 9 17:31:18 UTC 2024


details:   https://hg.nginx.org/njs/rev/e2c6451435a0
branches:  
changeset: 2259:e2c6451435a0
user:      Dmitry Volyntsev <xeioex at nginx.com>
date:      Mon Jan 08 22:19:59 2024 -0800
description:
Avoiding pointer wraparound for padded integer specifier.

Previously, when integer was larger than the padded width in a integer
specifier, the "end" pointer was evaluated to a value before "buf"
pointer.

Found by UndefinedBehaviorSanitizer.

diffstat:

 src/njs_sprintf.c |  9 ++++-----
 1 files changed, 4 insertions(+), 5 deletions(-)

diffs (28 lines):

diff -r 0490f1ae4cf5 -r e2c6451435a0 src/njs_sprintf.c
--- a/src/njs_sprintf.c	Sun Jul 30 10:21:51 2023 +0100
+++ b/src/njs_sprintf.c	Mon Jan 08 22:19:59 2024 -0800
@@ -522,12 +522,12 @@ njs_integer(njs_sprintf_t *spf, u_char *
         } while (ui64 != 0);
     }
 
+    length = (temp + NJS_INT64_T_LEN) - p;
+
     /* Zero or space padding. */
 
-    if (spf->width != 0) {
-
-        length = (temp + NJS_INT64_T_LEN) - p;
-        end = buf + (spf->width - length);
+    if (length < spf->width) {
+        end = buf + spf->width - length;
         end = njs_min(end, spf->end);
 
         while (buf < end) {
@@ -537,7 +537,6 @@ njs_integer(njs_sprintf_t *spf, u_char *
 
     /* Number copying. */
 
-    length = (temp + NJS_INT64_T_LEN) - p;
     end = buf + length;
     end = njs_min(end, spf->end);
 


More information about the nginx-devel mailing list