/ Check-in [5ce4e7d7]
Login

Many hyperlinks are disabled.
Use anonymous login to enable hyperlinks.

Overview
Comment:Further changes to guard against integer overflow in the width and precision of printf() arguments.
Downloads: Tarball | ZIP archive | SQL archive
Timelines: family | ancestors | descendants | both | trunk
Files: files | file ages | folders
SHA1:5ce4e7d7651e5c72a59f03f7aeb366291e62ab57
User & Date: drh 2015-04-07 13:28:41
References
2015-05-20
19:48
Avoid signed integer overflow when converting oversized in-line integer widths and precisions in printf(). Cherrypick of [c494171f77dc], [5ce4e7d7651e], [95625ef3adc3] and [8e4ac2ce2441]. check-in: b330c7ff user: dan tags: branch-3.8.6
Context
2015-05-20
19:48
Avoid signed integer overflow when converting oversized in-line integer widths and precisions in printf(). Cherrypick of [c494171f77dc], [5ce4e7d7651e], [95625ef3adc3] and [8e4ac2ce2441]. check-in: b330c7ff user: dan tags: branch-3.8.6
2015-04-07
14:38
Another change to avoid a problem caused by integer overflow in the printf() code. check-in: 95625ef3 user: dan tags: trunk
13:28
Further changes to guard against integer overflow in the width and precision of printf() arguments. check-in: 5ce4e7d7 user: drh tags: trunk
12:41
Guard against excessive width and precision in floating-point conversions in the printf routines. check-in: c494171f user: drh tags: trunk
Changes
Hide Diffs Unified Diffs Ignore Whitespace Patch

Changes to src/printf.c.

386
387
388
389
390
391
392

393
394
395
396
397
398
399
...
446
447
448
449
450
451
452

453
454
455
456
457
458
459
...
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
...
784
785
786
787
788
789
790

791


792
793
794
795
796
797
798
        if( longvalue==0 ) flag_alternateform = 0;
        if( flag_zeropad && precision<width-(prefix!=0) ){
          precision = width-(prefix!=0);
        }
        if( precision<etBUFSIZE-10 ){
          nOut = etBUFSIZE;
          zOut = buf;

        }else{
          nOut = precision + 10;
          zOut = zExtra = sqlite3Malloc( nOut );
          if( zOut==0 ){
            setStrAccumError(pAccum, STRACCUM_NOMEM);
            return;
          }
................................................................................
          prefix = '-';
        }else{
          if( flag_plussign )          prefix = '+';
          else if( flag_blanksign )    prefix = ' ';
          else                         prefix = 0;
        }
        if( xtype==etGENERIC && precision>0 ) precision--;

        for(idx=precision&0xfff, rounder=0.5; idx>0; idx--, rounder*=0.1){}
        if( xtype==etFLOAT ) realvalue += rounder;
        /* Normalize realvalue to within 10.0 > realvalue >= 1.0 */
        exp = 0;
        if( sqlite3IsNaN((double)realvalue) ){
          bufpt = "NaN";
          length = 3;
................................................................................
** able to accept at least N more bytes of text.
**
** Return the number of bytes of text that StrAccum is able to accept
** after the attempted enlargement.  The value returned might be zero.
*/
static int sqlite3StrAccumEnlarge(StrAccum *p, int N){
  char *zNew;
  assert( p->nChar+N >= p->nAlloc ); /* Only called if really needed */
  if( p->accError ){
    testcase(p->accError==STRACCUM_TOOBIG);
    testcase(p->accError==STRACCUM_NOMEM);
    return 0;
  }
  if( !p->useMalloc ){
    N = p->nAlloc - p->nChar - 1;
................................................................................
  return N;
}

/*
** Append N copies of character c to the given string buffer.
*/
void sqlite3AppendChar(StrAccum *p, int N, char c){

  if( p->nChar+N >= p->nAlloc && (N = sqlite3StrAccumEnlarge(p, N))<=0 ) return;


  while( (N--)>0 ) p->zText[p->nChar++] = c;
}

/*
** The StrAccum "p" is not large enough to accept N new bytes of z[].
** So enlarge if first, then do the append.
**







>







 







>







 







|







 







>
|
>
>







386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
...
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
...
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
...
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
        if( longvalue==0 ) flag_alternateform = 0;
        if( flag_zeropad && precision<width-(prefix!=0) ){
          precision = width-(prefix!=0);
        }
        if( precision<etBUFSIZE-10 ){
          nOut = etBUFSIZE;
          zOut = buf;
          if( precision<0 ) precision = 0;
        }else{
          nOut = precision + 10;
          zOut = zExtra = sqlite3Malloc( nOut );
          if( zOut==0 ){
            setStrAccumError(pAccum, STRACCUM_NOMEM);
            return;
          }
................................................................................
          prefix = '-';
        }else{
          if( flag_plussign )          prefix = '+';
          else if( flag_blanksign )    prefix = ' ';
          else                         prefix = 0;
        }
        if( xtype==etGENERIC && precision>0 ) precision--;
        testcase( precision>0xfff );
        for(idx=precision&0xfff, rounder=0.5; idx>0; idx--, rounder*=0.1){}
        if( xtype==etFLOAT ) realvalue += rounder;
        /* Normalize realvalue to within 10.0 > realvalue >= 1.0 */
        exp = 0;
        if( sqlite3IsNaN((double)realvalue) ){
          bufpt = "NaN";
          length = 3;
................................................................................
** able to accept at least N more bytes of text.
**
** Return the number of bytes of text that StrAccum is able to accept
** after the attempted enlargement.  The value returned might be zero.
*/
static int sqlite3StrAccumEnlarge(StrAccum *p, int N){
  char *zNew;
  assert( p->nChar+(i64)N >= p->nAlloc ); /* Only called if really needed */
  if( p->accError ){
    testcase(p->accError==STRACCUM_TOOBIG);
    testcase(p->accError==STRACCUM_NOMEM);
    return 0;
  }
  if( !p->useMalloc ){
    N = p->nAlloc - p->nChar - 1;
................................................................................
  return N;
}

/*
** Append N copies of character c to the given string buffer.
*/
void sqlite3AppendChar(StrAccum *p, int N, char c){
  testcase( p->nChar + (i64)N > 0x7fffffff );
  if( p->nChar+(i64)N >= p->nAlloc && (N = sqlite3StrAccumEnlarge(p, N))<=0 ){
    return;
  }
  while( (N--)>0 ) p->zText[p->nChar++] = c;
}

/*
** The StrAccum "p" is not large enough to accept N new bytes of z[].
** So enlarge if first, then do the append.
**

Changes to test/printf.test.

468
469
470
471
472
473
474












475
476
477
478
479
480
481
....
3465
3466
3467
3468
3469
3470
3471









3472
3473
3474
3475
3476
3477
3478
  sqlite3_mprintf_int {abc: (% 6d) (% 6x) (% 6o) :xyz}\
       0xff676981 0xff676981 0xff676981
} {abc: (-9999999) (ff676981) (37731664601) :xyz}
do_test printf-1.16.7 {
  sqlite3_mprintf_int {abc: (%#6d) (%#6x) (%#6o) :xyz}\
       0xff676981 0xff676981 0xff676981
} {abc: (-9999999) (0xff676981) (037731664601) :xyz}












do_test printf-2.1.1.1 {
  sqlite3_mprintf_double {abc: (%*.*f) :xyz} 1 1 0.001
} {abc: (0.0) :xyz}
do_test printf-2.1.1.2 {
  sqlite3_mprintf_double {abc: (%*.*e) :xyz} 1 1 0.001
} {abc: (1.0e-03) :xyz}
do_test printf-2.1.1.3 {
................................................................................
} [format {%d %d A String: (%s)} 1 2 {This is the string}]
do_test printf-3.5 {
  sqlite3_mprintf_str {%d %d A String: (%30s)} 1 2 {This is the string}
} [format {%d %d A String: (%30s)} 1 2 {This is the string}]
do_test printf-3.6 {
  sqlite3_mprintf_str {%d %d A String: (%-30s)} 1 2 {This is the string}
} [format {%d %d A String: (%-30s)} 1 2 {This is the string}]









do_test snprintf-3.11 {
  sqlite3_snprintf_str 2 {x%d %d %s} 10 10 {This is the string}
} {x}
do_test snprintf-3.12 {
  sqlite3_snprintf_str 3 {x%d %d %s} 10 10 {This is the string}
} {x1}
do_test snprintf-3.13 {







>
>
>
>
>
>
>
>
>
>
>
>







 







>
>
>
>
>
>
>
>
>







468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
....
3477
3478
3479
3480
3481
3482
3483
3484
3485
3486
3487
3488
3489
3490
3491
3492
3493
3494
3495
3496
3497
3498
3499
  sqlite3_mprintf_int {abc: (% 6d) (% 6x) (% 6o) :xyz}\
       0xff676981 0xff676981 0xff676981
} {abc: (-9999999) (ff676981) (37731664601) :xyz}
do_test printf-1.16.7 {
  sqlite3_mprintf_int {abc: (%#6d) (%#6x) (%#6o) :xyz}\
       0xff676981 0xff676981 0xff676981
} {abc: (-9999999) (0xff676981) (037731664601) :xyz}
do_test printf-1.17.1 {
  sqlite3_mprintf_int {abd: %2147483647d %2147483647x %2147483647o} 1 1 1
} {}
do_test printf-1.17.2 {
  sqlite3_mprintf_int {abd: %*d %x} 2147483647 1 1
} {}
do_test printf-1.17.3 {
  sqlite3_mprintf_int {abd: %*d %x} -2147483648 1 1
} {}
do_test printf-1.17.4 {
  sqlite3_mprintf_int {abd: %.2147483648d %x %x} 1 1 1
} {abd: 1 1 1}
do_test printf-2.1.1.1 {
  sqlite3_mprintf_double {abc: (%*.*f) :xyz} 1 1 0.001
} {abc: (0.0) :xyz}
do_test printf-2.1.1.2 {
  sqlite3_mprintf_double {abc: (%*.*e) :xyz} 1 1 0.001
} {abc: (1.0e-03) :xyz}
do_test printf-2.1.1.3 {
................................................................................
} [format {%d %d A String: (%s)} 1 2 {This is the string}]
do_test printf-3.5 {
  sqlite3_mprintf_str {%d %d A String: (%30s)} 1 2 {This is the string}
} [format {%d %d A String: (%30s)} 1 2 {This is the string}]
do_test printf-3.6 {
  sqlite3_mprintf_str {%d %d A String: (%-30s)} 1 2 {This is the string}
} [format {%d %d A String: (%-30s)} 1 2 {This is the string}]
do_test printf-3.7 {
  sqlite3_mprintf_str {%d A String: (%*s)} 1 2147483647 {This is the string}
} []
do_test printf-3.8 {
  sqlite3_mprintf_str {%d A String: (%*s)} 1 -2147483648 {This is the string}
} []
do_test printf-3.9 {
  sqlite3_mprintf_str {%d A String: (%.*s)} 1 -2147483648 {This is the string}
} {1 A String: (This is the string)}
do_test snprintf-3.11 {
  sqlite3_snprintf_str 2 {x%d %d %s} 10 10 {This is the string}
} {x}
do_test snprintf-3.12 {
  sqlite3_snprintf_str 3 {x%d %d %s} 10 10 {This is the string}
} {x1}
do_test snprintf-3.13 {