Fix interpolation/STRFMT overflow issues (#838)

Widths and fractional widths greater than 255 would overflow a uint8_t and wrap around to smaller values. Total formatted lengths greater than the avilable buffer size would overflow it and potentially corrupt memory. Fixes #830 Closes #831
2025-11-20 18:22:07 +00:00 · 2021-04-17 00:52:55 -04:00
parent 503c3b5364
commit ee5da4468d
9 changed files with 122 additions and 36 deletions
--- a/src/asm/format.c
+++ b/src/asm/format.c
@@ -6,6 +6,7 @@
 * SPDX-License-Identifier: MIT
 */

+#include <assert.h>
 #include <inttypes.h>
 #include <math.h>
 #include <stdbool.h>
@@ -148,20 +149,25 @@ void fmt_PrintString(char *buf, size_t bufLen, struct FormatSpec const *fmt, cha
 	size_t len = strlen(value);
 	size_t totalLen = fmt->width > len ? fmt->width : len;

-	if (totalLen + 1 > bufLen) /* bufLen includes terminator */
+	if (totalLen > bufLen - 1) { /* bufLen includes terminator */
 		error("Formatted string value too long\n");
+		totalLen = bufLen - 1;
+		if (len > totalLen)
+			len = totalLen;
+	}
+	assert(len < bufLen && totalLen < bufLen && len <= totalLen);

-	size_t padLen = fmt->width > len ? fmt->width - len : 0;
+	size_t padLen = totalLen - len;

 	if (fmt->alignLeft) {
-		strncpy(buf, value, len < bufLen ? len : bufLen);
-		for (size_t i = 0; i < totalLen && len + i < bufLen; i++)
-			buf[len + i] = ' ';
-	} else {
-		for (size_t i = 0; i < padLen && i < bufLen; i++)
+		memcpy(buf, value, len);
+		for (size_t i = len; i < totalLen; i++)
 			buf[i] = ' ';
-		if (bufLen > padLen)
-			strncpy(buf + padLen, value, bufLen - padLen - 1);
+	} else {
+		for (size_t i = 0; i < padLen; i++)
+			buf[i] = ' ';
+		if (totalLen > padLen)
+			memcpy(buf + padLen, value, len);
 	}

 	buf[totalLen] = '\0';
@@ -221,12 +227,18 @@ void fmt_PrintNumber(char *buf, size_t bufLen, struct FormatSpec const *fmt, uin
 		/* Special case for fixed-point */

 		/* Default fractional width (C's is 6 for "%f"; here 5 is enough) */
-		uint8_t fracWidth = fmt->hasFrac ? fmt->fracWidth : 5;
+		size_t fracWidth = fmt->hasFrac ? fmt->fracWidth : 5;

 		if (fracWidth) {
+			if (fracWidth > 255) {
+				error("Fractional width %zu too long, limiting to 255\n",
+				      fracWidth);
+				fracWidth = 255;
+			}
+
 			char spec[16]; /* Max "%" + 5-char PRIu32 + ".%0255.f" + terminator */

-			snprintf(spec, sizeof(spec), "%%" PRIu32 ".%%0%d.f", fracWidth);
+			snprintf(spec, sizeof(spec), "%%" PRIu32 ".%%0%zu.f", fracWidth);
 			snprintf(valueBuf, sizeof(valueBuf), spec, value >> 16,
 				 (value % 65536) / 65536.0 * pow(10, fracWidth) + 0.5);
 		} else {
@@ -253,46 +265,47 @@ void fmt_PrintNumber(char *buf, size_t bufLen, struct FormatSpec const *fmt, uin

 	size_t totalLen = fmt->width > numLen ? fmt->width : numLen;

-	if (totalLen + 1 > bufLen) /* bufLen includes terminator */
+	if (totalLen > bufLen - 1) { /* bufLen includes terminator */
 		error("Formatted numeric value too long\n");
+		totalLen = bufLen - 1;
+		if (numLen > totalLen) {
+			len -= numLen - totalLen;
+			numLen = totalLen;
+		}
+	}
+	assert(numLen < bufLen && totalLen < bufLen && numLen <= totalLen && len <= numLen);

-	size_t padLen = fmt->width > numLen ? fmt->width - numLen : 0;
+	size_t padLen = totalLen - numLen;
+	size_t pos = 0;

 	if (fmt->alignLeft) {
-		size_t pos = 0;
-
-		if (sign && pos < bufLen)
+		if (sign)
 			buf[pos++] = sign;
-		if (prefix && pos < bufLen)
+		if (prefix)
 			buf[pos++] = prefix;
-
-		strcpy(buf + pos, valueBuf);
-		pos += len;
-
-		for (size_t i = 0; i < totalLen && pos + i < bufLen; i++)
-			buf[pos + i] = ' ';
+		memcpy(buf + pos, valueBuf, len);
+		for (size_t i = pos + len; i < totalLen; i++)
+			buf[i] = ' ';
 	} else {
-		size_t pos = 0;
-
 		if (fmt->padZero) {
 			/* sign, then prefix, then zero padding */
-			if (sign && pos < bufLen)
+			if (sign)
 				buf[pos++] = sign;
-			if (prefix && pos < bufLen)
+			if (prefix)
 				buf[pos++] = prefix;
-			for (size_t i = 0; i < padLen && pos < bufLen; i++)
+			for (size_t i = 0; i < padLen; i++)
 				buf[pos++] = '0';
 		} else {
 			/* space padding, then sign, then prefix */
-			for (size_t i = 0; i < padLen && pos < bufLen; i++)
+			for (size_t i = 0; i < padLen; i++)
 				buf[pos++] = ' ';
-			if (sign && pos < bufLen)
+			if (sign)
 				buf[pos++] = sign;
-			if (prefix && pos < bufLen)
+			if (prefix)
 				buf[pos++] = prefix;
 		}
-		if (bufLen > pos)
-			strcpy(buf + pos, valueBuf);
+		if (totalLen > pos)
+			memcpy(buf + pos, valueBuf, len);
 	}

 	buf[totalLen] = '\0';