From: dan <dan@noemail.net>
Date: Tue, 7 Apr 2015 14:38:57 +0000 (+0000)
Subject: Another change to avoid a problem caused by integer overflow in the printf() code.
X-Git-Tag: version-3.8.9~2
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=8c069147cecc868648b2ef701b77d74be073095f;p=thirdparty%2Fsqlite.git

Another change to avoid a problem caused by integer overflow in the printf() code.

FossilOrigin-Name: 95625ef3adc3c408d67e70f877f390445fbb8292
---

diff --git a/manifest b/manifest
index 3aa52a9c50..476d45c6a9 100644
--- a/manifest
+++ b/manifest
@@ -1,5 +1,5 @@
-C Further\schanges\sto\sguard\sagainst\sinteger\soverflow\sin\sthe\swidth\sand\sprecision\nof\sprintf()\sarguments.
-D 2015-04-07T13:28:41.878
+C Another\schange\sto\savoid\sa\sproblem\scaused\sby\sinteger\soverflow\sin\sthe\sprintf()\scode.
+D 2015-04-07T14:38:57.638
 F Makefile.arm-wince-mingw32ce-gcc d6df77f1f48d690bd73162294bbba7f59507c72f
 F Makefile.in 00d12636df7a5b08af09116bcd6c7bfd49b8b3b4
 F Makefile.linux-gcc 91d710bdc4998cb015f39edf3cb314ec4f4d7e23
@@ -226,7 +226,7 @@ F src/pcache1.c 69d137620a305f814398bd29a0c998038c0695e9
 F src/pragma.c ac4f3f856b4234e85f55b0f069698a4766011100
 F src/pragma.h 09c89bca58e9a44de2116cc8272b8d454657129f
 F src/prepare.c 173a5a499138451b2561614ecb87d78f9f4644b9
-F src/printf.c 0f3476d9c8befc12708a3d614c22859b0cb79f19
+F src/printf.c 62f93b9276807b053e9c9625b48f4843ef82e978
 F src/random.c ba2679f80ec82c4190062d756f22d0c358180696
 F src/resolve.c 41aa91af56d960e9414ce1d7c17cfb68e0d1c6cb
 F src/rowset.c eccf6af6d620aaa4579bd3b72c1b6395d9e9fa1e
@@ -797,7 +797,7 @@ F test/permutations.test f9cc1dd987986c9d4949211c7a4ed55ec9aecba1
 F test/pragma.test ad99d05e411c7687302124be56f3b362204be041
 F test/pragma2.test f624a496a95ee878e81e59961eade66d5c00c028
 F test/pragma3.test 6f849ccffeee7e496d2f2b5e74152306c0b8757c
-F test/printf.test 5ab2b4666ca544645c4af2d78198f93b1e030d6e
+F test/printf.test b38d5d81a8cc20a040667c9acad68ddf5b18ccdd
 F test/printf2.test b4acd4bf8734243257f01ddefa17c4fb090acc8a
 F test/progress.test a282973d1d17f08071bc58a77d6b80f2a81c354d
 F test/ptrchng.test ef1aa72d6cf35a2bbd0869a649b744e9d84977fc
@@ -1249,7 +1249,7 @@ F tool/vdbe_profile.tcl 67746953071a9f8f2f668b73fe899074e2c6d8c1
 F tool/warnings-clang.sh f6aa929dc20ef1f856af04a730772f59283631d4
 F tool/warnings.sh 0abfd78ceb09b7f7c27c688c8e3fe93268a13b32
 F tool/win/sqlite.vsix deb315d026cc8400325c5863eef847784a219a2f
-P c494171f77dc2e5e04cb6d865e688448f04e5920
-R 7b4db908cf9a9f885bafc7fac7b1a77f
-U drh
-Z 16061aae0366142fcfaf02b796330263
+P 5ce4e7d7651e5c72a59f03f7aeb366291e62ab57
+R d822c3498c99ae588b224a89f4618062
+U dan
+Z d5717f1cffb0747ad695b3c7e862b042
diff --git a/manifest.uuid b/manifest.uuid
index dddcbe141c..50a22e5cce 100644
--- a/manifest.uuid
+++ b/manifest.uuid
@@ -1 +1 @@
-5ce4e7d7651e5c72a59f03f7aeb366291e62ab57
\ No newline at end of file
+95625ef3adc3c408d67e70f877f390445fbb8292
\ No newline at end of file
diff --git a/src/printf.c b/src/printf.c
index 13eb491cda..3eab6d47d6 100644
--- a/src/printf.c
+++ b/src/printf.c
@@ -270,6 +270,8 @@ void sqlite3VXPrintf(
         c = *++fmt;
       }
     }
+    if( width<0 ) width = 0; /* force to non-negative after int overflow */
+
     /* Get the precision */
     if( c=='.' ){
       precision = 0;
@@ -280,7 +282,6 @@ void sqlite3VXPrintf(
         }else{
           precision = va_arg(ap,int);
         }
-        if( precision<0 ) precision = -precision;
         c = *++fmt;
       }else{
         while( c>='0' && c<='9' ){
@@ -288,6 +289,12 @@ void sqlite3VXPrintf(
           c = *++fmt;
         }
       }
+
+      /* If a negative precision has been specified, use its absolute value
+      ** instead. This is (probably) not standard printf() behaviour, but
+      ** it is what sqlite3_mprintf() and friends have always done. If the
+      ** precision specified is -2147483648, use 0. */
+      if( precision<0 ) precision = (-precision) & 0x7fffffff;
     }else{
       precision = -1;
     }
@@ -390,7 +397,6 @@ void sqlite3VXPrintf(
         if( precision<etBUFSIZE-10 ){
           nOut = etBUFSIZE;
           zOut = buf;
-          if( precision<0 ) precision = 0;
         }else{
           nOut = precision + 10;
           zOut = zExtra = sqlite3Malloc( nOut );
diff --git a/test/printf.test b/test/printf.test
index dadc23194e..3bf13f4eb9 100644
--- a/test/printf.test
+++ b/test/printf.test
@@ -480,7 +480,7 @@ do_test printf-1.17.2 {
 } {}
 do_test printf-1.17.3 {
   sqlite3_mprintf_int {abd: %*d %x} -2147483648 1 1
-} {}
+} {abd: 1 1}
 do_test printf-1.17.4 {
   sqlite3_mprintf_int {abd: %.2147483648d %x %x} 1 1 1
 } {abd: 1 1 1}
@@ -3486,10 +3486,10 @@ do_test printf-3.7 {
 } []
 do_test printf-3.8 {
   sqlite3_mprintf_str {%d A String: (%*s)} 1 -2147483648 {This is the string}
-} []
+} {1 A String: (This is the string)}
 do_test printf-3.9 {
   sqlite3_mprintf_str {%d A String: (%.*s)} 1 -2147483648 {This is the string}
-} {1 A String: (This is the string)}
+} {1 A String: ()}
 do_test snprintf-3.11 {
   sqlite3_snprintf_str 2 {x%d %d %s} 10 10 {This is the string}
 } {x}
@@ -3709,6 +3709,9 @@ do_test printf-13.5 {
 do_test printf-13.6 {
   sqlite3_mprintf_hexdouble %.20f fff8000000000000
 } {NaN}
+do_test printf-13.7 {
+  sqlite3_mprintf_hexdouble %3000000000.10000f 4693b8b5b5056e17
+} "100000000000000000000000000000000.[string repeat 0 10000]"
 
 do_test printf-14.1 {
   sqlite3_mprintf_str {abc-%y-123} 0 0 {not used}