pike.git/ src/ modules/ _Roxen/ roxen.c

2012-07-06

2012-07-06 17:51:17 by Martin Stjernholm <mast@lysator.liu.se>

• fe576e7cc455624d7014fb7db975e64a660d843d (7 lines) (+5/-2) ^{[ Show | Annotate ]}
  Branch: 7.8

Sanitized buffer handling when formatting integers.

Should also protect against buffer overrun if INT_TYPE ever becomes
larger, provided anyone runs the testsuite with rtldebug.

13:      #include "machine.h"    + #include <assert.h>   #include <sys/types.h>   #include <sys/stat.h>   #include <fcntl.h>
489:    case PIKE_T_INT:    /* Optimization, this is basically a inlined cast_int_to_string */    { -  char buf[21], *b = buf+19; +  char buf[21], *b = buf + (sizeof (buf) - 2);    int neg, j=0;    INT_TYPE i = Pike_sp[-1].u.integer;    if( i < 0 )
506:    neg = 0;    pop_stack();    -  buf[20] = 0; +  buf[sizeof (buf) - 1] = 0;       while( i >= 10 )    {
515:    }    b[ -j++ ] = '0'+(i%10);    if( neg ) b[ -j++ ] = '-'; +  assert (b - j + 1 >= buf);    push_text( b-j+1 );    }    return;