From: Dmitry Volyntsev <xeioex@nginx.com>
Date: Tue, 9 Jan 2024 06:19:59 +0000 (-0800)
Subject: Avoiding pointer wraparound for padded integer specifier.
X-Git-Tag: 0.8.3~22
X-Git-Url: http://www.kaiwu.me/postgresql/commit/static/gitweb.js?a=commitdiff_plain;h=178bdf7386ddf93848536be3ea285749cc6be2d1;p=njs.git

Avoiding pointer wraparound for padded integer specifier.

Previously, when integer was larger than the padded width in a integer
specifier, the "end" pointer was evaluated to a value before "buf"
pointer.

Found by UndefinedBehaviorSanitizer.
---

diff --git a/src/njs_sprintf.c b/src/njs_sprintf.c
index f894958d..16ae9004 100644
--- a/src/njs_sprintf.c
+++ b/src/njs_sprintf.c
@@ -522,12 +522,12 @@ njs_integer(njs_sprintf_t *spf, u_char *buf, uint64_t ui64)
         } while (ui64 != 0);
     }
 
-    /* Zero or space padding. */
+    length = (temp + NJS_INT64_T_LEN) - p;
 
-    if (spf->width != 0) {
+    /* Zero or space padding. */
 
-        length = (temp + NJS_INT64_T_LEN) - p;
-        end = buf + (spf->width - length);
+    if (length < spf->width) {
+        end = buf + spf->width - length;
         end = njs_min(end, spf->end);
 
         while (buf < end) {
@@ -537,7 +537,6 @@ njs_integer(njs_sprintf_t *spf, u_char *buf, uint64_t ui64)
 
     /* Number copying. */
 
-    length = (temp + NJS_INT64_T_LEN) - p;
     end = buf + length;
     end = njs_min(end, spf->end);