1
Description: fix denial of service or arbitrary code execution via sprintf
2
Origin: upstream, https://hg.mozilla.org/projects/nspr/rev/74eb616c618e
4
Index: nspr-4.9.5/mozilla/nsprpub/pr/src/io/prprf.c
5
===================================================================
6
--- nspr-4.9.5.orig/mozilla/nsprpub/pr/src/io/prprf.c 2012-05-08 18:55:12.000000000 -0400
7
+++ nspr-4.9.5/mozilla/nsprpub/pr/src/io/prprf.c 2014-06-27 11:06:26.430686964 -0400
9
** Convert a double precision floating point number into its printable
12
-** XXX stop using sprintf to convert floating point
13
+** XXX stop using snprintf to convert floating point
15
static int cvt_f(SprintfState *ss, double d, const char *fmt0, const char *fmt1)
19
int amount = fmt1 - fmt0;
21
- PR_ASSERT((amount > 0) && (amount < sizeof(fin)));
22
- if (amount >= sizeof(fin)) {
23
- /* Totally bogus % command to sprintf. Just ignore it */
24
+ if (amount <= 0 || amount >= sizeof(fin)) {
25
+ /* Totally bogus % command to snprintf. Just ignore it */
28
memcpy(fin, fmt0, amount);
31
- /* Convert floating point using the native sprintf code */
32
+ /* Convert floating point using the native snprintf code */
40
- sprintf(fout, fin, d);
43
- ** This assert will catch overflow's of fout, when building with
44
- ** debugging on. At least this way we can track down the evil piece
45
- ** of calling code and fix it!
47
- PR_ASSERT(strlen(fout) < sizeof(fout));
48
+ memset(fout, 0, sizeof(fout));
49
+ snprintf(fout, sizeof(fout), fin, d);
50
+ /* Explicitly null-terminate fout because on Windows snprintf doesn't
51
+ * append a null-terminator if the buffer is too small. */
52
+ fout[sizeof(fout) - 1] = '\0';
54
return (*ss->stuff)(ss, fout, strlen(fout));
56
Index: nspr-4.9.5/mozilla/nsprpub/pr/tests/Makefile.in
57
===================================================================
58
--- nspr-4.9.5.orig/mozilla/nsprpub/pr/tests/Makefile.in 2012-11-13 18:18:00.000000000 -0500
59
+++ nspr-4.9.5/mozilla/nsprpub/pr/tests/Makefile.in 2014-06-27 11:06:26.430686964 -0400
68
Index: nspr-4.9.5/mozilla/nsprpub/pr/tests/prfdbl.c
69
===================================================================
70
--- /dev/null 1970-01-01 00:00:00.000000000 +0000
71
+++ nspr-4.9.5/mozilla/nsprpub/pr/tests/prfdbl.c 2014-06-27 11:06:26.430686964 -0400
73
+/* This Source Code Form is subject to the terms of the Mozilla Public
74
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
75
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
78
+ * This is a simple test of the PR_fprintf() function for doubles.
85
+ double pi = 3.1415926;
87
+ double root2 = 1.414;
88
+ double nan = 0.0 / 0.0;
90
+ PR_fprintf(PR_STDOUT, "pi is %f.\n", pi);
91
+ PR_fprintf(PR_STDOUT, "e is %f.\n", e);
92
+ PR_fprintf(PR_STDOUT, "The square root of 2 is %f.\n", root2);
93
+ PR_fprintf(PR_STDOUT, "NaN is %f.\n", nan);
95
+ PR_fprintf(PR_STDOUT, "pi is %301f.\n", pi);
96
+ PR_fprintf(PR_STDOUT, "e is %65416.123f.\n", e);
97
+ PR_fprintf(PR_STDOUT, "e is %0000000000000000000065416.123f.\n", e);
98
+ PR_fprintf(PR_STDOUT, "NaN is %1024.1f.\n", nan);