diff options
| author |   djm <djm@openbsd.org> | 2017-03-11 23:37:23 +0000 |
|---|---|---|
| committer | djm <djm@openbsd.org> | 2017-03-11 23:37:23 +0000 |
| commit | 73ae98445ba3bb5289cc58d74fac4a6085cdd0e6 (patch) | |
| tree | b0513aca3366da683688ebf471facf2a404aaf90 | |
| parent | shuffle back: wxabort is described in sysctl(3); (diff) | |
| download | wireguard-openbsd-73ae98445ba3bb5289cc58d74fac4a6085cdd0e6.tar.xz wireguard-openbsd-73ae98445ba3bb5289cc58d74fac4a6085cdd0e6.zip | |
fix signed integer overflow in scan_scaled. Found by Nicolas Iooss
using AFL against ssh_config. ok deraadt@ millert@
| -rw-r--r-- | lib/libutil/fmt_scaled.c | 15 |
1 files changed, 14 insertions, 1 deletions
diff --git a/lib/libutil/fmt_scaled.c b/lib/libutil/fmt_scaled.c index eecbde7a68f..bbeb01fdd0e 100644 --- a/lib/libutil/fmt_scaled.c +++ b/lib/libutil/fmt_scaled.c @@ -1,4 +1,4 @@ -/* $OpenBSD: fmt_scaled.c,v 1.12 2013/11/29 19:00:51 deraadt Exp $ */ +/* $OpenBSD: fmt_scaled.c,v 1.13 2017/03/11 23:37:23 djm Exp $ */ /* * Copyright (c) 2001, 2002, 2003 Ian F. Darwin. All rights reserved. @@ -121,6 +121,10 @@ scan_scaled(char *scaled, long long *result) /* ignore extra fractional digits */ continue; fract_digits++; /* for later scaling */ + if (fpart >= LLONG_MAX / 10) { + errno = ERANGE; + return -1; + } fpart *= 10; fpart += i; } else { /* normal digit */ @@ -128,6 +132,10 @@ scan_scaled(char *scaled, long long *result) errno = ERANGE; return -1; } + if (whole >= LLONG_MAX / 10) { + errno = ERANGE; + return -1; + } whole *= 10; whole += i; } @@ -158,6 +166,11 @@ scan_scaled(char *scaled, long long *result) } scale_fact = scale_factors[i]; + if (whole >= LLONG_MAX / scale_fact) { + errno = ERANGE; + return -1; + } + /* scale whole part */ whole *= scale_fact; |