[PATCH 1/1] lib/vsprintf.c: fix integer overflow in vsprintf

Paul Liu paul.liu at linaro.org
Tue Aug 15 17:33:43 CEST 2023


Hi Tom,

Yes, I think Rasmus is correct. I didn't have any real cases that can
trigger the bug.
So let's don't include this patch. I'll see if I can revert this in
AOSP's branch.

Yours,
Paul



Y

On Tue, 15 Aug 2023 at 22:42, Tom Rini <trini at konsulko.com> wrote:

> On Thu, Mar 09, 2023 at 10:12:21AM +0800, Ying-Chun Liu (PaulLiu) wrote:
>
> > From: Tom Cherry <tomcherry at google.com>
> >
> > vsnprintf_internal() adds 'size' to 'buf' and vsprintf() sets 'size'
> > to 'INT_MAX' which can overflow.  This causes sprintf() to fail when
> > initializing the environment on 8GB.
> >
> > Instead of using 'INT_MAX', we use SIZE_MAX - buf, which is the
> > largest possible string that could fit without overflowing 'size'.
> >
> > Signed-off-by: Tom Cherry <tomcherry at google.com>
> > [ Paul: pick from the Android tree. Rebase to the upstream ]
> > Signed-off-by: Ying-Chun Liu (PaulLiu) <paul.liu at linaro.org>
> > Cc: Tom Rini <trini at konsulko.com>
> > Link:
> https://android.googlesource.com/platform/external/u-boot/+/43aae5d4415e0f9d744fb798acd52429d09957ce
>
> So, this link here leads back to
> https://issuetracker.google.com/issues/200479053 which isn't public.
>
> Rasmus followed up and asked pointed questions, that weren't followed up
> on.
>
> --
> Tom
>


More information about the U-Boot mailing list