Further changes to guard against integer overflow in the width and precision

of printf() arguments.

FossilOrigin-Name: 5ce4e7d7651e5c72a59f03f7aeb366291e62ab57

4 files changed, 36 insertions, 10 deletions

diff --git a/manifest b/manifest
index 31581470a..3aa52a9c5 100644
--- a/manifest
+++ b/manifest
@@ -1,5 +1,5 @@
-C Guard\sagainst\sexcessive\swidth\sand\sprecision\sin\sfloating-point\sconversions\nin\sthe\sprintf\sroutines.
-D 2015-04-07T12:41:17.461
+C Further\schanges\sto\sguard\sagainst\sinteger\soverflow\sin\sthe\swidth\sand\sprecision\nof\sprintf()\sarguments.
+D 2015-04-07T13:28:41.878
 F Makefile.arm-wince-mingw32ce-gcc d6df77f1f48d690bd73162294bbba7f59507c72f
 F Makefile.in 00d12636df7a5b08af09116bcd6c7bfd49b8b3b4
 F Makefile.linux-gcc 91d710bdc4998cb015f39edf3cb314ec4f4d7e23
@@ -226,7 +226,7 @@ F src/pcache1.c 69d137620a305f814398bd29a0c998038c0695e9
 F src/pragma.c ac4f3f856b4234e85f55b0f069698a4766011100
 F src/pragma.h 09c89bca58e9a44de2116cc8272b8d454657129f
 F src/prepare.c 173a5a499138451b2561614ecb87d78f9f4644b9
-F src/printf.c 32f69fcba9ddfb71f9466b867f7ee7b7ffee30de
+F src/printf.c 0f3476d9c8befc12708a3d614c22859b0cb79f19
 F src/random.c ba2679f80ec82c4190062d756f22d0c358180696
 F src/resolve.c 41aa91af56d960e9414ce1d7c17cfb68e0d1c6cb
 F src/rowset.c eccf6af6d620aaa4579bd3b72c1b6395d9e9fa1e
@@ -797,7 +797,7 @@ F test/permutations.test f9cc1dd987986c9d4949211c7a4ed55ec9aecba1
 F test/pragma.test ad99d05e411c7687302124be56f3b362204be041
 F test/pragma2.test f624a496a95ee878e81e59961eade66d5c00c028
 F test/pragma3.test 6f849ccffeee7e496d2f2b5e74152306c0b8757c
-F test/printf.test 2f11179e8b7210f3ea262d96b7f7b4cb78b34500
+F test/printf.test 5ab2b4666ca544645c4af2d78198f93b1e030d6e
 F test/printf2.test b4acd4bf8734243257f01ddefa17c4fb090acc8a
 F test/progress.test a282973d1d17f08071bc58a77d6b80f2a81c354d
 F test/ptrchng.test ef1aa72d6cf35a2bbd0869a649b744e9d84977fc
@@ -1249,7 +1249,7 @@ F tool/vdbe_profile.tcl 67746953071a9f8f2f668b73fe899074e2c6d8c1
 F tool/warnings-clang.sh f6aa929dc20ef1f856af04a730772f59283631d4
 F tool/warnings.sh 0abfd78ceb09b7f7c27c688c8e3fe93268a13b32
 F tool/win/sqlite.vsix deb315d026cc8400325c5863eef847784a219a2f
-P 3ad829e50faca538db3abb2afb898b5521550c5c
-R 1f357953eb69048c3e73348b4613f5e5
+P c494171f77dc2e5e04cb6d865e688448f04e5920
+R 7b4db908cf9a9f885bafc7fac7b1a77f
 U drh
-Z 21bd74616576d30557b17c20f6eb18f9
+Z 16061aae0366142fcfaf02b796330263
diff --git a/manifest.uuid b/manifest.uuid
index 45e0581d3..dddcbe141 100644
--- a/manifest.uuid
+++ b/manifest.uuid
@@ -1 +1 @@
-c494171f77dc2e5e04cb6d865e688448f04e5920
\ No newline at end of file
+5ce4e7d7651e5c72a59f03f7aeb366291e62ab57
\ No newline at end of file
diff --git a/src/printf.c b/src/printf.c
index 0ff9887eb..13eb491cd 100644
--- a/src/printf.c
+++ b/src/printf.c
@@ -390,6 +390,7 @@ void sqlite3VXPrintf(
         if( precision<etBUFSIZE-10 ){
           nOut = etBUFSIZE;
           zOut = buf;
+          if( precision<0 ) precision = 0;
         }else{
           nOut = precision + 10;
           zOut = zExtra = sqlite3Malloc( nOut );
@@ -450,6 +451,7 @@ void sqlite3VXPrintf(
           else                         prefix = 0;
         }
         if( xtype==etGENERIC && precision>0 ) precision--;
+        testcase( precision>0xfff );
         for(idx=precision&0xfff, rounder=0.5; idx>0; idx--, rounder*=0.1){}
         if( xtype==etFLOAT ) realvalue += rounder;
         /* Normalize realvalue to within 10.0 > realvalue >= 1.0 */
@@ -739,7 +741,7 @@ void sqlite3VXPrintf(
 */
 static int sqlite3StrAccumEnlarge(StrAccum *p, int N){
   char *zNew;
-  assert( p->nChar+N >= p->nAlloc ); /* Only called if really needed */
+  assert( p->nChar+(i64)N >= p->nAlloc ); /* Only called if really needed */
   if( p->accError ){
     testcase(p->accError==STRACCUM_TOOBIG);
     testcase(p->accError==STRACCUM_NOMEM);
@@ -788,7 +790,10 @@ static int sqlite3StrAccumEnlarge(StrAccum *p, int N){
 ** Append N copies of character c to the given string buffer.
 */
 void sqlite3AppendChar(StrAccum *p, int N, char c){
-  if( p->nChar+N >= p->nAlloc && (N = sqlite3StrAccumEnlarge(p, N))<=0 ) return;
+  testcase( p->nChar + (i64)N > 0x7fffffff );
+  if( p->nChar+(i64)N >= p->nAlloc && (N = sqlite3StrAccumEnlarge(p, N))<=0 ){
+    return;
+  }
   while( (N--)>0 ) p->zText[p->nChar++] = c;
 }
 
diff --git a/test/printf.test b/test/printf.test
index 5dfc6d06c..dadc23194 100644
--- a/test/printf.test
+++ b/test/printf.test
@@ -472,6 +472,18 @@ do_test printf-1.16.7 {
   sqlite3_mprintf_int {abc: (%#6d) (%#6x) (%#6o) :xyz}\
        0xff676981 0xff676981 0xff676981
 } {abc: (-9999999) (0xff676981) (037731664601) :xyz}
+do_test printf-1.17.1 {
+  sqlite3_mprintf_int {abd: %2147483647d %2147483647x %2147483647o} 1 1 1
+} {}
+do_test printf-1.17.2 {
+  sqlite3_mprintf_int {abd: %*d %x} 2147483647 1 1
+} {}
+do_test printf-1.17.3 {
+  sqlite3_mprintf_int {abd: %*d %x} -2147483648 1 1
+} {}
+do_test printf-1.17.4 {
+  sqlite3_mprintf_int {abd: %.2147483648d %x %x} 1 1 1
+} {abd: 1 1 1}
 do_test printf-2.1.1.1 {
   sqlite3_mprintf_double {abc: (%*.*f) :xyz} 1 1 0.001
 } {abc: (0.0) :xyz}
@@ -3469,6 +3481,15 @@ do_test printf-3.5 {
 do_test printf-3.6 {
   sqlite3_mprintf_str {%d %d A String: (%-30s)} 1 2 {This is the string}
 } [format {%d %d A String: (%-30s)} 1 2 {This is the string}]
+do_test printf-3.7 {
+  sqlite3_mprintf_str {%d A String: (%*s)} 1 2147483647 {This is the string}
+} []
+do_test printf-3.8 {
+  sqlite3_mprintf_str {%d A String: (%*s)} 1 -2147483648 {This is the string}
+} []
+do_test printf-3.9 {
+  sqlite3_mprintf_str {%d A String: (%.*s)} 1 -2147483648 {This is the string}
+} {1 A String: (This is the string)}
 do_test snprintf-3.11 {
   sqlite3_snprintf_str 2 {x%d %d %s} 10 10 {This is the string}
 } {x}