Avoiding pointer wraparound for padded integer specifier.

Previously, when integer was larger than the padded width in a integer
specifier, the "end" pointer was evaluated to a value before "buf"
pointer.

Found by UndefinedBehaviorSanitizer.

diff --git a/src/njs_sprintf.c b/src/njs_sprintf.c
index f894958d67015ba5c676b7c3a1a23f9fd2f5d242..16ae9004e217615a59dce4285ee74924d553fe54 100644 (file)
--- a/src/njs_sprintf.c
+++ b/src/njs_sprintf.c
@@ -522,12 +522,12 @@ njs_integer(njs_sprintf_t *spf, u_char *buf, uint64_t ui64)
         } while (ui64 != 0);
     }
 
-    /* Zero or space padding. */
+    length = (temp + NJS_INT64_T_LEN) - p;
 
-    if (spf->width != 0) {
+    /* Zero or space padding. */
 
-        length = (temp + NJS_INT64_T_LEN) - p;
-        end = buf + (spf->width - length);
+    if (length < spf->width) {
+        end = buf + spf->width - length;
         end = njs_min(end, spf->end);
 
         while (buf < end) {
@@ -537,7 +537,6 @@ njs_integer(njs_sprintf_t *spf, u_char *buf, uint64_t ui64)
 
     /* Number copying. */
 
-    length = (temp + NJS_INT64_T_LEN) - p;
     end = buf + length;
     end = njs_min(end, spf->end);