commit 3ab3c16db6a5674f53cf23d56512a405fde0b2c9 Author: Daniel Stenberg Date: Tue Nov 8 15:32:37 2016 +0100 printf: fix floating point buffer overflow issues ... and add a bunch of floating point printf tests Upstream-Status: Backport https://curl.haxx.se/CVE-2016-9586.patch dropped the tests as they require more changes to work. CVE: CVE-2016-9586 Signed-off-by: Thiruvadi Rajaraman Index: curl-7.50.1/lib/mprintf.c =================================================================== --- curl-7.50.1.orig/lib/mprintf.c 2017-06-15 18:24:08.934720707 +0530 +++ curl-7.50.1/lib/mprintf.c 2017-06-15 18:24:09.318720721 +0530 @@ -92,7 +92,8 @@ # define mp_uintmax_t unsigned long #endif -#define BUFFSIZE 256 /* buffer for long-to-str and float-to-str calcs */ +#define BUFFSIZE 326 /* buffer for long-to-str and float-to-str calcs, should + fit negative DBL_MAX (317 letters) */ #define MAX_PARAMETERS 128 /* lame static limit */ #ifdef __AMIGA__ @@ -910,12 +911,25 @@ *fptr = 0; if(width >= 0) { + if(width >= (long)sizeof(work)) + width = sizeof(work)-1; /* RECURSIVE USAGE */ len = curl_msnprintf(fptr, left, "%ld", width); fptr += len; left -= len; } if(prec >= 0) { + /* for each digit in the integer part, we can have one less + precision */ + size_t maxprec = sizeof(work) - 2; + double val = p->data.dnum; + while(val >= 10.0) { + val /= 10; + maxprec--; + } + + if(prec > (long)maxprec) + prec = maxprec-1; /* RECURSIVE USAGE */ len = curl_msnprintf(fptr, left, ".%ld", prec); fptr += len; @@ -935,7 +949,9 @@ /* NOTE NOTE NOTE!! Not all sprintf implementations return number of output characters */ (sprintf)(work, formatbuf, p->data.dnum); - +#ifdef CURLDEBUG + assert(strlen(work) <= sizeof(work)); +#endif for(fptr=work; *fptr; fptr++) OUTCHAR(*fptr); }