[PATCH 1/1] lib/vsprintf.c: fix integer overflow in vsprintf

Ying-Chun Liu (PaulLiu) paul.liu at linaro.org
Thu Mar 9 03:12:21 CET 2023


From: Tom Cherry <tomcherry at google.com>

vsnprintf_internal() adds 'size' to 'buf' and vsprintf() sets 'size'
to 'INT_MAX' which can overflow.  This causes sprintf() to fail when
initializing the environment on 8GB.

Instead of using 'INT_MAX', we use SIZE_MAX - buf, which is the
largest possible string that could fit without overflowing 'size'.

Signed-off-by: Tom Cherry <tomcherry at google.com>
[ Paul: pick from the Android tree. Rebase to the upstream ]
Signed-off-by: Ying-Chun Liu (PaulLiu) <paul.liu at linaro.org>
Cc: Tom Rini <trini at konsulko.com>
Link: https://android.googlesource.com/platform/external/u-boot/+/43aae5d4415e0f9d744fb798acd52429d09957ce
---
 lib/vsprintf.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/lib/vsprintf.c b/lib/vsprintf.c
index 2d13e68b57..cd89c56a8f 100644
--- a/lib/vsprintf.c
+++ b/lib/vsprintf.c
@@ -794,7 +794,12 @@ int scnprintf(char *buf, size_t size, const char *fmt, ...)
  */
 int vsprintf(char *buf, const char *fmt, va_list args)
 {
-	return vsnprintf_internal(buf, INT_MAX, fmt, args);
+	/* vsnprintf_internal adds size to buf, so use a size that won't
+	 * overflow.
+	 */
+	size_t max_size = SIZE_MAX - (size_t)buf;
+
+	return vsnprintf_internal(buf, max_size, fmt, args);
 }
 
 int sprintf(char *buf, const char *fmt, ...)
-- 
2.39.2



More information about the U-Boot mailing list