[njs] Avoiding pointer wraparound for padded integer specifier.
Dmitry Volyntsev
xeioex at nginx.com
Tue Jan 9 17:31:18 UTC 2024
details: https://hg.nginx.org/njs/rev/e2c6451435a0
branches:
changeset: 2259:e2c6451435a0
user: Dmitry Volyntsev <xeioex at nginx.com>
date: Mon Jan 08 22:19:59 2024 -0800
description:
Avoiding pointer wraparound for padded integer specifier.
Previously, when integer was larger than the padded width in a integer
specifier, the "end" pointer was evaluated to a value before "buf"
pointer.
Found by UndefinedBehaviorSanitizer.
diffstat:
src/njs_sprintf.c | 9 ++++-----
1 files changed, 4 insertions(+), 5 deletions(-)
diffs (28 lines):
diff -r 0490f1ae4cf5 -r e2c6451435a0 src/njs_sprintf.c
--- a/src/njs_sprintf.c Sun Jul 30 10:21:51 2023 +0100
+++ b/src/njs_sprintf.c Mon Jan 08 22:19:59 2024 -0800
@@ -522,12 +522,12 @@ njs_integer(njs_sprintf_t *spf, u_char *
} while (ui64 != 0);
}
+ length = (temp + NJS_INT64_T_LEN) - p;
+
/* Zero or space padding. */
- if (spf->width != 0) {
-
- length = (temp + NJS_INT64_T_LEN) - p;
- end = buf + (spf->width - length);
+ if (length < spf->width) {
+ end = buf + spf->width - length;
end = njs_min(end, spf->end);
while (buf < end) {
@@ -537,7 +537,6 @@ njs_integer(njs_sprintf_t *spf, u_char *
/* Number copying. */
- length = (temp + NJS_INT64_T_LEN) - p;
end = buf + length;
end = njs_min(end, spf->end);
More information about the nginx-devel
mailing list