From 178bdf7386ddf93848536be3ea285749cc6be2d1 Mon Sep 17 00:00:00 2001
From: Dmitry Volyntsev <xeioex@nginx.com>
Date: Mon, 8 Jan 2024 22:19:59 -0800
Subject: [PATCH] Avoiding pointer wraparound for padded integer specifier.

Previously, when integer was larger than the padded width in a integer
specifier, the "end" pointer was evaluated to a value before "buf"
pointer.

Found by UndefinedBehaviorSanitizer.
---
 src/njs_sprintf.c | 9 ++++-----
 1 file changed, 4 insertions(+), 5 deletions(-)

diff --git a/src/njs_sprintf.c b/src/njs_sprintf.c
index f894958d..16ae9004 100644
--- a/src/njs_sprintf.c
+++ b/src/njs_sprintf.c
@@ -522,12 +522,12 @@ njs_integer(njs_sprintf_t *spf, u_char *buf, uint64_t ui64)
         } while (ui64 != 0);
     }
 
-    /* Zero or space padding. */
+    length = (temp + NJS_INT64_T_LEN) - p;
 
-    if (spf->width != 0) {
+    /* Zero or space padding. */
 
-        length = (temp + NJS_INT64_T_LEN) - p;
-        end = buf + (spf->width - length);
+    if (length < spf->width) {
+        end = buf + spf->width - length;
         end = njs_min(end, spf->end);
 
         while (buf < end) {
@@ -537,7 +537,6 @@ njs_integer(njs_sprintf_t *spf, u_char *buf, uint64_t ui64)
 
     /* Number copying. */
 
-    length = (temp + NJS_INT64_T_LEN) - p;
     end = buf + length;
     end = njs_min(end, spf->end);
 
-- 
2.47.3