[PATCH 1/1] lib/vsprintf.c: fix integer overflow in vsprintf

Rasmus Villemoes rasmus.villemoes at prevas.dk
Thu Mar 9 10:45:15 CET 2023

On 09/03/2023 03.12, Ying-Chun Liu (PaulLiu) wrote:
> From: Tom Cherry <tomcherry at google.com>
> vsnprintf_internal() adds 'size' to 'buf' and vsprintf() sets 'size'
> to 'INT_MAX' which can overflow. 

Yes, and? vsprintf_internal then detects that by looking at whether
"end" is now before "buf", and if so corrects it by setting end to the
largest possible address - which is more or less the same you do here,
except if for the platform in question sizeof(size_t)!=sizeof(void *).
So what exactly does this fix?

That piece of code is stolen from linux, so if it's a problem in U-Boot
it most definitely should also show up in linux, which it doesn't.

More details please. What platform is this, what is sizeof(size_t) and
sizeof(void *) and how does the amount of actual RAM come into the picture?


More information about the U-Boot mailing list