From b30dd4030dcef950eac05393013ee019c3cb3205 Mon Sep 17 00:00:00 2001 From: Andre Przywara Date: Mon, 24 Jan 2022 18:16:10 +0000 Subject: [PATCH] fix(libc): limit snprintf radix value In our unsigned_num_print() function we first print the integer into a local buffer, then put this through alignment and padding and output the result. For this we use a local buffer, sized by the maximum possible length of the largest possible number. However this assumes that the radix is not smaller than 10, which is indeed the smallest value we pass into this static function at the moment. To prevent accidents in the future, should we add support for other radices, add an assert to enforce our assumption. Unfortunately this cannot be a static assert (CASSERT), since the compiler is not smart enough to see that the argument is always coming from a literal. Change-Id: Ic204462600d9f4c281d899cf9f2c698a0a33a874 Signed-off-by: Andre Przywara --- lib/libc/snprintf.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/lib/libc/snprintf.c b/lib/libc/snprintf.c index 16611435b..7141091bb 100644 --- a/lib/libc/snprintf.c +++ b/lib/libc/snprintf.c @@ -40,6 +40,12 @@ static void unsigned_num_print(char **s, size_t n, size_t *chars_printed, unsigned int rem; char ascii_a = capitalise ? 'A' : 'a'; + if (radix < 10) { + ERROR("snprintf: unsupported radix '%d'.", radix); + plat_panic_handler(); + assert(0); /* Unreachable */ + } + do { rem = unum % radix; if (rem < 10U) { -- 2.39.5