commit 31a1224: [Fix] Avoid another overflow in fpconv

Vsevolod Stakhov vsevolod at highsecure.ru
Sat May 18 14:14:06 UTC 2019


Author: Vsevolod Stakhov
Date: 2019-05-18 15:06:20 +0100
URL: https://github.com/rspamd/rspamd/commit/31a1224de44218d8252f25aa42e2544b7ef74119 (HEAD -> master)

[Fix] Avoid another overflow in fpconv
Issue: #2904

---
 contrib/fpconv/fpconv.c | 26 ++++++++++++++++++++------
 1 file changed, 20 insertions(+), 6 deletions(-)

diff --git a/contrib/fpconv/fpconv.c b/contrib/fpconv/fpconv.c
index b01793400..4ec2e3560 100644
--- a/contrib/fpconv/fpconv.c
+++ b/contrib/fpconv/fpconv.c
@@ -227,18 +227,32 @@ static int emit_digits(char* digits, int ndigits, char* dest, int K, bool neg,
             offset = -offset;
             dest[0] = '0';
             dest[1] = '.';
-            memset(dest + 2, '0', offset);
-            memcpy(dest + offset + 2, digits, ndigits);
 
-            return ndigits + 2 + offset;
+            /* We have up to 21 characters in output available */
+            if (offset + ndigits <= 21) {
+            	memset(dest + 2, '0', offset);
+            	memcpy(dest + offset + 2, digits, ndigits);
+
+            	return ndigits + 2 + offset;
+            }
+            else {
+            	/* Overflow */
+            	dest[2] = '0';
+            	return 3;
+            }
 
         /* fp > 1.0 */
         } else {
             memcpy(dest, digits, offset);
-            dest[offset] = '.';
-            memcpy(dest + offset + 1, digits + offset, ndigits - offset);
 
-            return ndigits + 1;
+            /* Overflow check */
+            if (ndigits <= 23) {
+            	dest[offset] = '.';
+            	memcpy(dest + offset + 1, digits + offset, ndigits - offset);
+            	return ndigits + 1;
+            }
+
+            return offset;
         }
     }
 


More information about the Commits mailing list