From 74b42275eca70ba323730c5a1088f1baf9937383 Mon Sep 17 00:00:00 2001
From: drh <drh@noemail.net>
Date: Tue, 7 Apr 2015 12:41:17 +0000
Subject: [PATCH] Guard against excessive width and precision in floating-point
 conversions in the printf routines.

FossilOrigin-Name: c494171f77dc2e5e04cb6d865e688448f04e5920
---
 manifest         | 16 ++++++++--------
 manifest.uuid    |  2 +-
 src/printf.c     |  7 ++++---
 test/printf.test |  3 +++
 4 files changed, 16 insertions(+), 12 deletions(-)

diff --git a/manifest b/manifest
index 839dc44cc6..31581470a9 100644
--- a/manifest
+++ b/manifest
@@ -1,5 +1,5 @@
-C Fix\sa\sproblem\swith\sfts3\sprefix\sterms\swithin\sphrase\squeries\son\s"order=DESC"\stables\swith\sa\smix\sof\snegative\sand\spositive\srowids.
-D 2015-04-06T11:04:51.176
+C Guard\sagainst\sexcessive\swidth\sand\sprecision\sin\sfloating-point\sconversions\nin\sthe\sprintf\sroutines.
+D 2015-04-07T12:41:17.461
 F Makefile.arm-wince-mingw32ce-gcc d6df77f1f48d690bd73162294bbba7f59507c72f
 F Makefile.in 00d12636df7a5b08af09116bcd6c7bfd49b8b3b4
 F Makefile.linux-gcc 91d710bdc4998cb015f39edf3cb314ec4f4d7e23
@@ -226,7 +226,7 @@ F src/pcache1.c 69d137620a305f814398bd29a0c998038c0695e9
 F src/pragma.c ac4f3f856b4234e85f55b0f069698a4766011100
 F src/pragma.h 09c89bca58e9a44de2116cc8272b8d454657129f
 F src/prepare.c 173a5a499138451b2561614ecb87d78f9f4644b9
-F src/printf.c 8da9a2687a396daa19860f4dc90975d319304744
+F src/printf.c 32f69fcba9ddfb71f9466b867f7ee7b7ffee30de
 F src/random.c ba2679f80ec82c4190062d756f22d0c358180696
 F src/resolve.c 41aa91af56d960e9414ce1d7c17cfb68e0d1c6cb
 F src/rowset.c eccf6af6d620aaa4579bd3b72c1b6395d9e9fa1e
@@ -797,7 +797,7 @@ F test/permutations.test f9cc1dd987986c9d4949211c7a4ed55ec9aecba1
 F test/pragma.test ad99d05e411c7687302124be56f3b362204be041
 F test/pragma2.test f624a496a95ee878e81e59961eade66d5c00c028
 F test/pragma3.test 6f849ccffeee7e496d2f2b5e74152306c0b8757c
-F test/printf.test ec9870c4dce8686a37818e0bf1aba6e6a1863552
+F test/printf.test 2f11179e8b7210f3ea262d96b7f7b4cb78b34500
 F test/printf2.test b4acd4bf8734243257f01ddefa17c4fb090acc8a
 F test/progress.test a282973d1d17f08071bc58a77d6b80f2a81c354d
 F test/ptrchng.test ef1aa72d6cf35a2bbd0869a649b744e9d84977fc
@@ -1249,7 +1249,7 @@ F tool/vdbe_profile.tcl 67746953071a9f8f2f668b73fe899074e2c6d8c1
 F tool/warnings-clang.sh f6aa929dc20ef1f856af04a730772f59283631d4
 F tool/warnings.sh 0abfd78ceb09b7f7c27c688c8e3fe93268a13b32
 F tool/win/sqlite.vsix deb315d026cc8400325c5863eef847784a219a2f
-P edc1de2a588fd50c0049bb2be76d3f6783443165 0cdf502885ea7e5805d7ba3719f055f5d48fc78d
-R 3d0aeff53f9d343a974360d23614c066
-U dan
-Z ac6175e8f164395f5f3f99cbe84625aa
+P 3ad829e50faca538db3abb2afb898b5521550c5c
+R 1f357953eb69048c3e73348b4613f5e5
+U drh
+Z 21bd74616576d30557b17c20f6eb18f9
diff --git a/manifest.uuid b/manifest.uuid
index 60fdaf0098..45e0581d32 100644
--- a/manifest.uuid
+++ b/manifest.uuid
@@ -1 +1 @@
-3ad829e50faca538db3abb2afb898b5521550c5c
\ No newline at end of file
+c494171f77dc2e5e04cb6d865e688448f04e5920
\ No newline at end of file
diff --git a/src/printf.c b/src/printf.c
index 81efa057fc..0ff9887eb7 100644
--- a/src/printf.c
+++ b/src/printf.c
@@ -450,7 +450,7 @@ void sqlite3VXPrintf(
           else                         prefix = 0;
         }
         if( xtype==etGENERIC && precision>0 ) precision--;
-        for(idx=precision, rounder=0.5; idx>0; idx--, rounder*=0.1){}
+        for(idx=precision&0xfff, rounder=0.5; idx>0; idx--, rounder*=0.1){}
         if( xtype==etFLOAT ) realvalue += rounder;
         /* Normalize realvalue to within 10.0 > realvalue >= 1.0 */
         exp = 0;
@@ -505,8 +505,9 @@ void sqlite3VXPrintf(
         }else{
           e2 = exp;
         }
-        if( MAX(e2,0)+precision+width > etBUFSIZE - 15 ){
-          bufpt = zExtra = sqlite3Malloc( MAX(e2,0)+precision+width+15 );
+        if( MAX(e2,0)+(i64)precision+(i64)width > etBUFSIZE - 15 ){
+          bufpt = zExtra 
+              = sqlite3Malloc( MAX(e2,0)+(i64)precision+(i64)width+15 );
           if( bufpt==0 ){
             setStrAccumError(pAccum, STRACCUM_NOMEM);
             return;
diff --git a/test/printf.test b/test/printf.test
index 73222720ab..5dfc6d06cf 100644
--- a/test/printf.test
+++ b/test/printf.test
@@ -526,6 +526,9 @@ do_test printf-2.1.2.8 {
 do_test printf-2.1.2.9 {
   sqlite3_mprintf_double {abc: %d %d (%1.1g) :xyz} 1 1 1.0e-20
 } {abc: 1 1 (1e-20) :xyz}
+do_test printf-2.1.2.10 {
+  sqlite3_mprintf_double {abc: %*.*f}  2000000000 1000000000 1.0e-20
+} {abc: }
 do_test printf-2.1.3.1 {
   sqlite3_mprintf_double {abc: (%*.*f) :xyz} 1 1 1.0
 } {abc: (1.0) :xyz}
-- 
2.47.2