From ed1ee2f906d29eb98fccde7ad0b0a97966b64d19 Mon Sep 17 00:00:00 2001
From: Vsevolod Stakhov <vsevolod@highsecure.ru>
Date: Sat, 18 May 2019 15:06:20 +0100
Subject: [PATCH] [Fix] Avoid another overflow in fpconv

Issue: #2904
---
 contrib/fpconv/fpconv.c | 26 ++++++++++++++++++++------
 1 file changed, 20 insertions(+), 6 deletions(-)

diff --git a/contrib/fpconv/fpconv.c b/contrib/fpconv/fpconv.c
index b01793400..4ec2e3560 100644
--- a/contrib/fpconv/fpconv.c
+++ b/contrib/fpconv/fpconv.c
@@ -227,18 +227,32 @@ static int emit_digits(char* digits, int ndigits, char* dest, int K, bool neg,
             offset = -offset;
             dest[0] = '0';
             dest[1] = '.';
-            memset(dest + 2, '0', offset);
-            memcpy(dest + offset + 2, digits, ndigits);
 
-            return ndigits + 2 + offset;
+            /* We have up to 21 characters in output available */
+            if (offset + ndigits <= 21) {
+            	memset(dest + 2, '0', offset);
+            	memcpy(dest + offset + 2, digits, ndigits);
+
+            	return ndigits + 2 + offset;
+            }
+            else {
+            	/* Overflow */
+            	dest[2] = '0';
+            	return 3;
+            }
 
         /* fp > 1.0 */
         } else {
             memcpy(dest, digits, offset);
-            dest[offset] = '.';
-            memcpy(dest + offset + 1, digits + offset, ndigits - offset);
 
-            return ndigits + 1;
+            /* Overflow check */
+            if (ndigits <= 23) {
+            	dest[offset] = '.';
+            	memcpy(dest + offset + 1, digits + offset, ndigits - offset);
+            	return ndigits + 1;
+            }
+
+            return offset;
         }
     }
 
-- 
2.39.5