]> source.dussan.org Git - rspamd.git/commitdiff
projects / rspamd.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 250becb)
[Fix] Avoid another overflow in fpconv
authorVsevolod Stakhov <vsevolod@highsecure.ru>
Sat, 18 May 2019 14:06:20 +0000 (15:06 +0100)
committerVsevolod Stakhov <vsevolod@highsecure.ru>
Wed, 22 May 2019 13:39:08 +0000 (14:39 +0100)
Issue: #2904

contrib/fpconv/fpconv.c patch | blob | history

diff --git a/contrib/fpconv/fpconv.c b/contrib/fpconv/fpconv.c
index b0179340099b610fa5dd926a6411960ac129f523..4ec2e35600d24cbd467da4c88500c34e1de62c70 100644 (file)
--- a/contrib/fpconv/fpconv.c
+++ b/contrib/fpconv/fpconv.c
@@ -227,18 +227,32 @@ static int emit_digits(char* digits, int ndigits, char* dest, int K, bool neg,
             offset = -offset;
             dest[0] = '0';
             dest[1] = '.';
-            memset(dest + 2, '0', offset);
-            memcpy(dest + offset + 2, digits, ndigits);
 
-            return ndigits + 2 + offset;
+            /* We have up to 21 characters in output available */
+            if (offset + ndigits <= 21) {
+               memset(dest + 2, '0', offset);
+               memcpy(dest + offset + 2, digits, ndigits);
+
+               return ndigits + 2 + offset;
+            }
+            else {
+               /* Overflow */
+               dest[2] = '0';
+               return 3;
+            }
 
         /* fp > 1.0 */
         } else {
             memcpy(dest, digits, offset);
-            dest[offset] = '.';
-            memcpy(dest + offset + 1, digits + offset, ndigits - offset);
 
-            return ndigits + 1;
+            /* Overflow check */
+            if (ndigits <= 23) {
+               dest[offset] = '.';
+               memcpy(dest + offset + 1, digits + offset, ndigits - offset);
+               return ndigits + 1;
+            }
+
+            return offset;
         }
     }
 
Rapid spam filtering system: https://github.com/rspamd/rspamd