From 0a7f810856cbfbb2117cdb2ef66974a8d764c50e Mon Sep 17 00:00:00 2001 From: guenther Date: Wed, 20 Sep 2017 05:08:11 +0000 Subject: Avoid overflow/truncation during string->integer converion by eliminating the 'int' temporary variable. problem reported by Jacob Zimmermann (jacobz (at) senseofsecurity.com.au) ok deraadt@ --- usr.sbin/lpr/lpd/printjob.c | 22 +++++++++------------- 1 file changed, 9 insertions(+), 13 deletions(-) (limited to 'usr.sbin/lpr') diff --git a/usr.sbin/lpr/lpd/printjob.c b/usr.sbin/lpr/lpd/printjob.c index 1e7b2471e97..280e1850aa9 100644 --- a/usr.sbin/lpr/lpd/printjob.c +++ b/usr.sbin/lpr/lpd/printjob.c @@ -1,4 +1,4 @@ -/* $OpenBSD: printjob.c,v 1.58 2016/11/22 16:03:57 millert Exp $ */ +/* $OpenBSD: printjob.c,v 1.59 2017/09/20 05:08:11 guenther Exp $ */ /* $NetBSD: printjob.c,v 1.31 2002/01/21 14:42:30 wiz Exp $ */ /* @@ -417,15 +417,13 @@ printit(char *file) case 'S': cp = line+1; - i = 0; + fdev = 0; while (*cp >= '0' && *cp <= '9') - i = i * 10 + (*cp++ - '0'); - fdev = i; + fdev = fdev * 10 + (*cp++ - '0'); cp++; - i = 0; + fino = 0; while (*cp >= '0' && *cp <= '9') - i = i * 10 + (*cp++ - '0'); - fino = i; + fino = fino * 10 + (*cp++ - '0'); continue; case 'J': @@ -826,15 +824,13 @@ sendit(char *file) again: if (line[0] == 'S') { cp = line+1; - i = 0; + fdev = 0; while (*cp >= '0' && *cp <= '9') - i = i * 10 + (*cp++ - '0'); - fdev = i; + fdev = fdev * 10 + (*cp++ - '0'); cp++; - i = 0; + fino = 0; while (*cp >= '0' && *cp <= '9') - i = i * 10 + (*cp++ - '0'); - fino = i; + fino = fino * 10 + (*cp++ - '0'); continue; } if (line[0] >= 'a' && line[0] <= 'z') { -- cgit v1.2.3-59-g8ed1b