25241371 problem in LIBRARY/CURL
25241378 problem in LIBRARY/CURL
25241832 problem in LIBRARY/CURL
25241839 problem in LIBRARY/CURL
25241853 problem in LIBRARY/CURL
25241867 problem in LIBRARY/CURL
25241881 problem in LIBRARY/CURL
25241889 problem in LIBRARY/CURL
25241894 problem in LIBRARY/CURL
25241900 problem in LIBRARY/CURL
25306385 problem in LIBRARY/CURL
commit 3ab3c16db6a5674f53cf23d56512a405fde0b2c9
Author: Daniel Stenberg <[email protected]>
Date: Tue Nov 8 15:32:37 2016 +0100
printf: fix floating point buffer overflow issues
... and add a bunch of floating point printf tests
This patch is modified to adapt to curl 7.45.0 in Solaris.
--- lib/mprintf.c
+++ lib/mprintf.c
@@ -90,11 +90,12 @@
#else
# define mp_intmax_t long
# define mp_uintmax_t unsigned long
#endif
-#define BUFFSIZE 256 /* buffer for long-to-str and float-to-str calcs */
+#define BUFFSIZE 326 /* buffer for long-to-str and float-to-str calcs, should
+ fit negative DBL_MAX (317 letters) */
#define MAX_PARAMETERS 128 /* lame static limit */
#ifdef __AMIGA__
# undef FORMAT_INT
#endif
@@ -914,16 +915,29 @@ static int dprintf_formatf(
*fptr++ = '#';
*fptr = 0;
if(width >= 0) {
+ if(width >= (long)sizeof(work))
+ width = sizeof(work)-1;
/* RECURSIVE USAGE */
len = curl_msnprintf(fptr, left, "%ld", width);
fptr += len;
left -= len;
}
if(prec >= 0) {
+ /* for each digit in the integer part, we can have one less
+ precision */
+ size_t maxprec = sizeof(work) - 2;
+ double val = p->data.dnum;
+ while(val >= 10.0) {
+ val /= 10;
+ maxprec--;
+ }
+
+ if(prec > (long)maxprec)
+ prec = maxprec-1;
/* RECURSIVE USAGE */
len = curl_msnprintf(fptr, left, ".%ld", prec);
fptr += len;
}
if(p->flags & FLAGS_LONG)
@@ -939,11 +953,13 @@ static int dprintf_formatf(
*fptr = 0; /* and a final zero termination */
/* NOTE NOTE NOTE!! Not all sprintf implementations return number of
output characters */
(sprintf)(work, formatbuf, p->data.dnum);
-
+#ifdef CURLDEBUG
+ assert(strlen(work) <= sizeof(work));
+#endif
for(fptr=work; *fptr; fptr++)
OUTCHAR(*fptr);
}
break;