[PATCH 1/1] lib/vsprintf.c: fix integer overflow in vsprintf
Ying-Chun Liu (PaulLiu)
paul.liu at linaro.org
Thu Mar 9 03:12:21 CET 2023
From: Tom Cherry <tomcherry at google.com>
vsnprintf_internal() adds 'size' to 'buf' and vsprintf() sets 'size'
to 'INT_MAX' which can overflow. This causes sprintf() to fail when
initializing the environment on 8GB.
Instead of using 'INT_MAX', we use SIZE_MAX - buf, which is the
largest possible string that could fit without overflowing 'size'.
Signed-off-by: Tom Cherry <tomcherry at google.com>
[ Paul: pick from the Android tree. Rebase to the upstream ]
Signed-off-by: Ying-Chun Liu (PaulLiu) <paul.liu at linaro.org>
Cc: Tom Rini <trini at konsulko.com>
Link: https://android.googlesource.com/platform/external/u-boot/+/43aae5d4415e0f9d744fb798acd52429d09957ce
---
lib/vsprintf.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/lib/vsprintf.c b/lib/vsprintf.c
index 2d13e68b57..cd89c56a8f 100644
--- a/lib/vsprintf.c
+++ b/lib/vsprintf.c
@@ -794,7 +794,12 @@ int scnprintf(char *buf, size_t size, const char *fmt, ...)
*/
int vsprintf(char *buf, const char *fmt, va_list args)
{
- return vsnprintf_internal(buf, INT_MAX, fmt, args);
+ /* vsnprintf_internal adds size to buf, so use a size that won't
+ * overflow.
+ */
+ size_t max_size = SIZE_MAX - (size_t)buf;
+
+ return vsnprintf_internal(buf, max_size, fmt, args);
}
int sprintf(char *buf, const char *fmt, ...)
--
2.39.2
More information about the U-Boot
mailing list