diff options
author | Daniel Stenberg <daniel@haxx.se> | 2016-11-08 15:32:37 +0100 |
---|---|---|
committer | Daniel Stenberg <daniel@haxx.se> | 2016-12-19 07:53:20 +0100 |
commit | 3ab3c16db6a5674f53cf23d56512a405fde0b2c9 (patch) | |
tree | 0c69855066ac3d7b7a6b2b60478bd4162be73735 | |
parent | 60450d507f89a310c99a5039f720c18e7799b393 (diff) |
printf: fix floating point buffer overflow issues
... and add a bunch of floating point printf tests
-rw-r--r-- | lib/mprintf.c | 20 | ||||
-rw-r--r-- | tests/data/test557 | 1 | ||||
-rw-r--r-- | tests/libtest/lib557.c | 136 |
3 files changed, 152 insertions, 5 deletions
diff --git a/lib/mprintf.c b/lib/mprintf.c index a995c59a4..0dea5af62 100644 --- a/lib/mprintf.c +++ b/lib/mprintf.c @@ -92,7 +92,8 @@ # define mp_uintmax_t unsigned long #endif -#define BUFFSIZE 256 /* buffer for long-to-str and float-to-str calcs */ +#define BUFFSIZE 326 /* buffer for long-to-str and float-to-str calcs, should + fit negative DBL_MAX (317 letters) */ #define MAX_PARAMETERS 128 /* lame static limit */ #ifdef __AMIGA__ @@ -916,12 +917,25 @@ static int dprintf_formatf( *fptr = 0; if(width >= 0) { + if(width >= (long)sizeof(work)) + width = sizeof(work)-1; /* RECURSIVE USAGE */ len = curl_msnprintf(fptr, left, "%ld", width); fptr += len; left -= len; } if(prec >= 0) { + /* for each digit in the integer part, we can have one less + precision */ + size_t maxprec = sizeof(work) - 2; + double val = p->data.dnum; + while(val >= 10.0) { + val /= 10; + maxprec--; + } + + if(prec > (long)maxprec) + prec = maxprec-1; /* RECURSIVE USAGE */ len = curl_msnprintf(fptr, left, ".%ld", prec); fptr += len; @@ -941,7 +955,9 @@ static int dprintf_formatf( /* NOTE NOTE NOTE!! Not all sprintf implementations return number of output characters */ (sprintf)(work, formatbuf, p->data.dnum); - +#ifdef CURLDEBUG + assert(strlen(work) <= sizeof(work)); +#endif for(fptr=work; *fptr; fptr++) OUTCHAR(*fptr); } diff --git a/tests/data/test557 b/tests/data/test557 index 8d0944a1e..ad9350f6e 100644 --- a/tests/data/test557 +++ b/tests/data/test557 @@ -40,6 +40,7 @@ All curl_mprintf() unsigned long tests OK! All curl_mprintf() signed long tests OK! All curl_mprintf() curl_off_t tests OK! All curl_mprintf() strings tests OK! +All float strings tests OK! </stdout> </verify> diff --git a/tests/libtest/lib557.c b/tests/libtest/lib557.c index 683ca089f..8c62a0e8a 100644 --- a/tests/libtest/lib557.c +++ b/tests/libtest/lib557.c @@ -1374,16 +1374,31 @@ static int test_curl_off_t_formatting(void) return failed; } -static int string_check(char *buf, const char *buf2) +static int _string_check(int linenumber, char *buf, const char *buf2) { if(strcmp(buf, buf2)) { /* they shouldn't differ */ - printf("sprintf failed:\nwe '%s'\nsystem: '%s'\n", - buf, buf2); + printf("sprintf line %d failed:\nwe '%s'\nsystem: '%s'\n", + linenumber, buf, buf2); return 1; } return 0; } +#define string_check(x,y) _string_check(__LINE__, x, y) + +static int _strlen_check(int linenumber, char *buf, size_t len) +{ + size_t buflen = strlen(buf); + if(len != buflen) { + /* they shouldn't differ */ + printf("sprintf strlen:%d failed:\nwe '%d'\nsystem: '%d'\n", + linenumber, buflen, len); + return 1; + } + return 0; +} + +#define strlen_check(x,y) _strlen_check(__LINE__, x, y) /* * The output strings in this test need to have been verified with a system @@ -1523,6 +1538,119 @@ static int test_weird_arguments(void) return errors; } +/* DBL_MAX value from Linux */ +#define MAXIMIZE -179769313486231570814527423731704356798070567525844996598917476803157260780028538760589558632766878171540458953514382464234321326889464182768467546703537516986049910576551282076245490090389328944075868508455133942304583236903222948165808559332123348274797826204144723168738177180919299881250404026184124858368.000000 + +static int test_float_formatting(void) +{ + int errors = 0; + char buf[512]; /* larger than max float size */ + curl_msnprintf(buf, sizeof(buf), "%f", 9.0); + errors += string_check(buf, "9.000000"); + + curl_msnprintf(buf, sizeof(buf), "%.1f", 9.1); + errors += string_check(buf, "9.1"); + + curl_msnprintf(buf, sizeof(buf), "%.2f", 9.1); + errors += string_check(buf, "9.10"); + + curl_msnprintf(buf, sizeof(buf), "%.0f", 9.1); + errors += string_check(buf, "9"); + + curl_msnprintf(buf, sizeof(buf), "%0f", 9.1); + errors += string_check(buf, "9.100000"); + + curl_msnprintf(buf, sizeof(buf), "%10f", 9.1); + errors += string_check(buf, " 9.100000"); + + curl_msnprintf(buf, sizeof(buf), "%10.3f", 9.1); + errors += string_check(buf, " 9.100"); + + curl_msnprintf(buf, sizeof(buf), "%-10.3f", 9.1); + errors += string_check(buf, "9.100 "); + + curl_msnprintf(buf, sizeof(buf), "%-10.3f", 9.123456); + errors += string_check(buf, "9.123 "); + + curl_msnprintf(buf, sizeof(buf), "%.-2f", 9.1); + errors += string_check(buf, "9.100000"); + + curl_msnprintf(buf, sizeof(buf), "%*f", 10, 9.1); + errors += string_check(buf, " 9.100000"); + + curl_msnprintf(buf, sizeof(buf), "%*f", 3, 9.1); + errors += string_check(buf, "9.100000"); + + curl_msnprintf(buf, sizeof(buf), "%*f", 6, 9.2987654); + errors += string_check(buf, "9.298765"); + + curl_msnprintf(buf, sizeof(buf), "%*f", 6, 9.298765); + errors += string_check(buf, "9.298765"); + + curl_msnprintf(buf, sizeof(buf), "%*f", 6, 9.29876); + errors += string_check(buf, "9.298760"); + + curl_msnprintf(buf, sizeof(buf), "%.*f", 6, 9.2987654); + errors += string_check(buf, "9.298765"); + curl_msnprintf(buf, sizeof(buf), "%.*f", 5, 9.2987654); + errors += string_check(buf, "9.29877"); + curl_msnprintf(buf, sizeof(buf), "%.*f", 4, 9.2987654); + errors += string_check(buf, "9.2988"); + curl_msnprintf(buf, sizeof(buf), "%.*f", 3, 9.2987654); + errors += string_check(buf, "9.299"); + curl_msnprintf(buf, sizeof(buf), "%.*f", 2, 9.2987654); + errors += string_check(buf, "9.30"); + curl_msnprintf(buf, sizeof(buf), "%.*f", 1, 9.2987654); + errors += string_check(buf, "9.3"); + curl_msnprintf(buf, sizeof(buf), "%.*f", 0, 9.2987654); + errors += string_check(buf, "9"); + + /* very large precisions easily turn into system specific outputs so we only + check the output buffer length here as we know the internal limit */ + + curl_msnprintf(buf, sizeof(buf), "%.*f", (1<<30), 9.2987654); + errors += strlen_check(buf, 325); + + curl_msnprintf(buf, sizeof(buf), "%10000.10000f", 9.2987654); + errors += strlen_check(buf, 325); + + curl_msnprintf(buf, sizeof(buf), "%240.10000f", + 123456789123456789123456789.2987654); + errors += strlen_check(buf, 325); + + /* 1<<31 turns negative (-2147483648) when used signed */ + curl_msnprintf(buf, sizeof(buf), "%*f", (1<<31), 9.1); + errors += string_check(buf, "9.100000"); + + /* curl_msnprintf() limits a single float output to 325 bytes maximum + width */ + curl_msnprintf(buf, sizeof(buf), "%*f", (1<<30), 9.1); + errors += string_check(buf, " 9.100000"); + curl_msnprintf(buf, sizeof(buf), "%100000f", 9.1); + errors += string_check(buf, " 9.100000"); + + curl_msnprintf(buf, sizeof(buf), "%f", MAXIMIZE); + errors += strlen_check(buf, 317); + + curl_msnprintf(buf, 2, "%f", MAXIMIZE); + errors += strlen_check(buf, 1); + curl_msnprintf(buf, 3, "%f", MAXIMIZE); + errors += strlen_check(buf, 2); + curl_msnprintf(buf, 4, "%f", MAXIMIZE); + errors += strlen_check(buf, 3); + curl_msnprintf(buf, 5, "%f", MAXIMIZE); + errors += strlen_check(buf, 4); + curl_msnprintf(buf, 6, "%f", MAXIMIZE); + errors += strlen_check(buf, 5); + + if(!errors) + printf("All float strings tests OK!\n"); + else + printf("test_float_formatting Failed!\n"); + + return errors; +} + int test(char *URL) { @@ -1547,6 +1675,8 @@ int test(char *URL) errors += test_string_formatting(); + errors += test_float_formatting(); + if(errors) return TEST_ERR_MAJOR_BAD; else |