From: Daniel Stenberg <daniel@haxx.se>
Date: Fri, 6 Dec 2024 15:01:50 +0000 (+0100)
Subject: mprintf: fix the integer overflow checks
X-Git-Tag: curl-8_11_1~6
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=59fec5ac43ade98b31093e707b5ac2aba305bd2a;p=thirdparty%2Fcurl.git

mprintf: fix the integer overflow checks

When a floating point precision or string width are provided as a
base-10 number, the code could miss to detect integer overflows if the
provided value was exactly 2147483648 or 2147483649 (2147483647 being
the maxium value a signed integer can hold).

The chance that such values would actually ever be used is slim.

This change fixes the detection to also cover those edge cases.

Closes #15699
---

diff --git a/lib/mprintf.c b/lib/mprintf.c
index 6576f3ebf9..35e40e302d 100644
--- a/lib/mprintf.c
+++ b/lib/mprintf.c
@@ -321,10 +321,10 @@ static int parsefmt(const char *format,
               fmt++;
             }
             while(ISDIGIT(*fmt)) {
-              if(precision > INT_MAX/10)
+              int n = *fmt - '0';
+              if(precision > (INT_MAX - n) / 10)
                 return PFMT_PREC;
-              precision *= 10;
-              precision += *fmt - '0';
+              precision = precision * 10 + n;
               fmt++;
             }
             if(is_neg)
@@ -397,10 +397,10 @@ static int parsefmt(const char *format,
           width = 0;
           fmt--;
           do {
-            if(width > INT_MAX/10)
+            int n = *fmt - '0';
+            if(width > (INT_MAX - n) / 10)
               return PFMT_WIDTH;
-            width *= 10;
-            width += *fmt - '0';
+            width = width * 10 + n;
             fmt++;
           } while(ISDIGIT(*fmt));
           break;