From: dan Date: Wed, 20 May 2015 19:48:55 +0000 (+0000) Subject: Avoid signed integer overflow when converting oversized in-line integer X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=aaf9a8431528889713e63a0633ed8d7d76eaae98;p=thirdparty%2Fsqlite.git Avoid signed integer overflow when converting oversized in-line integer widths and precisions in printf(). Cherrypick of [c494171f77dc], [5ce4e7d7651e], [95625ef3adc3] and [8e4ac2ce2441]. FossilOrigin-Name: b330c7ff6fd1230cde2c246ba0f9d81f056ea61f --- diff --git a/manifest b/manifest index 90128e2388..2d4444eaca 100644 --- a/manifest +++ b/manifest @@ -1,5 +1,5 @@ -C Ensure\sthat\scomparison\soperators\sdo\snot\smess\sup\sthe\sMEM_Dyn\sflag\son\sregisters\s\nwhen\sreverting\saffinity\schanges.\sCherrypick\sof\s[02e3c88fbf6a]. -D 2015-05-20T19:44:12.544 +C Avoid\ssigned\sinteger\soverflow\swhen\sconverting\soversized\sin-line\sinteger\s\nwidths\sand\sprecisions\sin\sprintf().\sCherrypick\sof\s[c494171f77dc],\s[5ce4e7d7651e],\s[95625ef3adc3]\sand\s[8e4ac2ce2441]. +D 2015-05-20T19:48:55.227 F Makefile.arm-wince-mingw32ce-gcc d6df77f1f48d690bd73162294bbba7f59507c72f F Makefile.in 5eb79e334a5de69c87740edd56af6527dd219308 F Makefile.linux-gcc 91d710bdc4998cb015f39edf3cb314ec4f4d7e23 @@ -218,7 +218,7 @@ F src/pcache.h a5e4f5d9f5d592051d91212c5949517971ae6222 F src/pcache1.c 102e6f5a2fbc646154463eb856d1fd716867b64c F src/pragma.c d10ef67c4de79f78188b965b4b7988aff1d66f2e F src/prepare.c 677521ab7132615a8a26107a1d1c3132f44ae337 -F src/printf.c af06f66927919730f03479fed6ae9854f73419f4 +F src/printf.c 1c030b72d7678386dc359e296fdd3b6214a2aadb F src/random.c d10c1f85b6709ca97278428fd5db5bbb9c74eece F src/resolve.c 0ea356d32a5e884add23d1b9b4e8736681dd5697 F src/rowset.c a9c9aae3234b44a6d7c6f5a3cadf90dce1e627be @@ -757,7 +757,7 @@ F test/percentile.test b98fc868d71eb5619d42a1702e9ab91718cbed54 F test/permutations.test bc474bafb022cc5014ef3a9c3d5ab61d6d6f587c F test/pragma.test 19d0241a007bcdd77fc2606ec60fc60357e7fc8b F test/pragma2.test aea7b3d82c76034a2df2b38a13745172ddc0bc13 -F test/printf.test ec9870c4dce8686a37818e0bf1aba6e6a1863552 +F test/printf.test b3ff34e73d59124140eaf89f7672e21bc2ca5fcc F test/printf2.test bed79b4c3e5da08ba88ad637c0bf62586843cfb1 F test/progress.test a282973d1d17f08071bc58a77d6b80f2a81c354d F test/ptrchng.test ef1aa72d6cf35a2bbd0869a649b744e9d84977fc @@ -1186,8 +1186,11 @@ F tool/vdbe_profile.tcl 67746953071a9f8f2f668b73fe899074e2c6d8c1 F tool/warnings-clang.sh f6aa929dc20ef1f856af04a730772f59283631d4 F tool/warnings.sh 0abfd78ceb09b7f7c27c688c8e3fe93268a13b32 F tool/win/sqlite.vsix deb315d026cc8400325c5863eef847784a219a2f -P fc1a4f293c6e29f570098d1fc52d21b32a081476 -Q +02e3c88fbf6abdcf3975fb0fb71972b0ab30da30 -R 50f238e6a4e4d64a05826094e25a8e9e +P 4125477e63fd3a71dce262e0866d3e39cec765f1 +Q +5ce4e7d7651e5c72a59f03f7aeb366291e62ab57 +Q +8e4ac2ce24415926247961b00a62425ae85d6ffb +Q +95625ef3adc3c408d67e70f877f390445fbb8292 +Q +c494171f77dc2e5e04cb6d865e688448f04e5920 +R 4b6e5530dadb627f38b2aa53dc82cd07 U dan -Z 70e234f07696ffaa54fe0a2491f483ca +Z 46e842739206c835d8bd7b51ff043562 diff --git a/manifest.uuid b/manifest.uuid index 69b01834ac..af10c4c2e6 100644 --- a/manifest.uuid +++ b/manifest.uuid @@ -1 +1 @@ -4125477e63fd3a71dce262e0866d3e39cec765f1 \ No newline at end of file +b330c7ff6fd1230cde2c246ba0f9d81f056ea61f \ No newline at end of file diff --git a/src/printf.c b/src/printf.c index 37910804d2..777f951506 100644 --- a/src/printf.c +++ b/src/printf.c @@ -257,15 +257,19 @@ void sqlite3VXPrintf( } if( width<0 ){ flag_leftjustify = 1; - width = -width; + width = width >= -2147483647 ? -width : 0; } c = *++fmt; }else{ + unsigned wx = 0; while( c>='0' && c<='9' ){ - width = width*10 + c - '0'; + wx = wx*10 + c - '0'; c = *++fmt; } + testcase( wx>0x7fffffff ); + width = wx & 0x7fffffff; } + /* Get the precision */ if( c=='.' ){ precision = 0; @@ -276,13 +280,18 @@ void sqlite3VXPrintf( }else{ precision = va_arg(ap,int); } - if( precision<0 ) precision = -precision; c = *++fmt; + if( precision<0 ){ + precision = precision >= -2147483647 ? -precision : -1; + } }else{ + unsigned px = 0; while( c>='0' && c<='9' ){ - precision = precision*10 + c - '0'; + px = px*10 + c - '0'; c = *++fmt; } + testcase( px>0x7fffffff ); + precision = px & 0x7fffffff; } }else{ precision = -1; @@ -447,7 +456,8 @@ void sqlite3VXPrintf( else prefix = 0; } if( xtype==etGENERIC && precision>0 ) precision--; - for(idx=precision, rounder=0.5; idx>0; idx--, rounder*=0.1){} + testcase( precision>0xfff ); + for(idx=precision&0xfff, rounder=0.5; idx>0; idx--, rounder*=0.1){} if( xtype==etFLOAT ) realvalue += rounder; /* Normalize realvalue to within 10.0 > realvalue >= 1.0 */ exp = 0; @@ -502,8 +512,9 @@ void sqlite3VXPrintf( }else{ e2 = exp; } - if( MAX(e2,0)+precision+width > etBUFSIZE - 15 ){ - bufpt = zExtra = sqlite3Malloc( MAX(e2,0)+precision+width+15 ); + if( MAX(e2,0)+(i64)precision+(i64)width > etBUFSIZE - 15 ){ + bufpt = zExtra + = sqlite3Malloc( MAX(e2,0)+(i64)precision+(i64)width+15 ); if( bufpt==0 ){ setStrAccumError(pAccum, STRACCUM_NOMEM); return; @@ -729,7 +740,7 @@ void sqlite3VXPrintf( */ static int sqlite3StrAccumEnlarge(StrAccum *p, int N){ char *zNew; - assert( p->nChar+N >= p->nAlloc ); /* Only called if really needed */ + assert( p->nChar+(i64)N >= p->nAlloc ); /* Only called if really needed */ if( p->accError ){ testcase(p->accError==STRACCUM_TOOBIG); testcase(p->accError==STRACCUM_NOMEM); @@ -772,7 +783,10 @@ static int sqlite3StrAccumEnlarge(StrAccum *p, int N){ ** Append N space characters to the given string buffer. */ void sqlite3AppendSpace(StrAccum *p, int N){ - if( p->nChar+N >= p->nAlloc && (N = sqlite3StrAccumEnlarge(p, N))<=0 ) return; + testcase( p->nChar + (i64)N > 0x7fffffff ); + if( p->nChar+(i64)N >= p->nAlloc && (N = sqlite3StrAccumEnlarge(p, N))<=0 ){ + return; + } while( (N--)>0 ) p->zText[p->nChar++] = ' '; } diff --git a/test/printf.test b/test/printf.test index 73222720ab..6103d8acf8 100644 --- a/test/printf.test +++ b/test/printf.test @@ -472,6 +472,18 @@ do_test printf-1.16.7 { sqlite3_mprintf_int {abc: (%#6d) (%#6x) (%#6o) :xyz}\ 0xff676981 0xff676981 0xff676981 } {abc: (-9999999) (0xff676981) (037731664601) :xyz} +do_test printf-1.17.1 { + sqlite3_mprintf_int {abd: %2147483647d %2147483647x %2147483647o} 1 1 1 +} {} +do_test printf-1.17.2 { + sqlite3_mprintf_int {abd: %*d %x} 2147483647 1 1 +} {} +do_test printf-1.17.3 { + sqlite3_mprintf_int {abd: %*d %x} -2147483648 1 1 +} {abd: 1 1} +do_test printf-1.17.4 { + sqlite3_mprintf_int {abd: %.2147483648d %x %x} 1 1 1 +} {/.*/} do_test printf-2.1.1.1 { sqlite3_mprintf_double {abc: (%*.*f) :xyz} 1 1 0.001 } {abc: (0.0) :xyz} @@ -526,6 +538,9 @@ do_test printf-2.1.2.8 { do_test printf-2.1.2.9 { sqlite3_mprintf_double {abc: %d %d (%1.1g) :xyz} 1 1 1.0e-20 } {abc: 1 1 (1e-20) :xyz} +do_test printf-2.1.2.10 { + sqlite3_mprintf_double {abc: %*.*f} 2000000000 1000000000 1.0e-20 +} {abc: } do_test printf-2.1.3.1 { sqlite3_mprintf_double {abc: (%*.*f) :xyz} 1 1 1.0 } {abc: (1.0) :xyz} @@ -3466,6 +3481,15 @@ do_test printf-3.5 { do_test printf-3.6 { sqlite3_mprintf_str {%d %d A String: (%-30s)} 1 2 {This is the string} } [format {%d %d A String: (%-30s)} 1 2 {This is the string}] +do_test printf-3.7 { + sqlite3_mprintf_str {%d A String: (%*s)} 1 2147483647 {This is the string} +} [] +do_test printf-3.8 { + sqlite3_mprintf_str {%d A String: (%*s)} 1 -2147483648 {This is the string} +} {1 A String: (This is the string)} +do_test printf-3.9 { + sqlite3_mprintf_str {%d A String: (%.*s)} 1 -2147483648 {This is the string} +} {1 A String: (This is the string)} do_test snprintf-3.11 { sqlite3_snprintf_str 2 {x%d %d %s} 10 10 {This is the string} } {x} @@ -3685,6 +3709,9 @@ do_test printf-13.5 { do_test printf-13.6 { sqlite3_mprintf_hexdouble %.20f fff8000000000000 } {NaN} +do_test printf-13.7 { + sqlite3_mprintf_hexdouble %2147483648.10000f 4693b8b5b5056e17 +} {/100000000000000000000000000000000.00/} do_test printf-14.1 { sqlite3_mprintf_str {abc-%y-123} 0 0 {not used}