lib: fix uninitialized memory access on handling %J string formats

When parsing the padding size specification of a `J` format, e.g. `%.4J`, the internally called `atoi()` function might read beyond the end of the initialized memory within the format buffer, leading to non-deterministic results. Avoid overreading the initialized memory by parsing the padding length manually digit-by-digit. Signed-off-by: Jo-Philipp Wich <jo@mein.io>
author: Jo-Philipp Wich <jo@mein.io> 2021-10-22 20:06:29 +0200
committer: Jo-Philipp Wich <jo@mein.io> 2021-10-22 20:21:49 +0200
commit: 9041e2403d98fdb54206c23bd684a7da6fb63026 (patch)
tree: 2d5d6c693ae0b8cbcfcdeebdbb8f4e719d1ff04f
parent: 496b4f3c371f19b955d260fb1c8c8ba819f6a7b2 (diff)
1 files changed, 4 insertions, 2 deletions
diff --git a/lib.c b/lib.c
index b0f501a..0b1f663 100644
--- a/lib.c
+++ b/lib.c
@@ -1395,8 +1395,10 @@ uc_printf_common(uc_vm_t *vm, size_t nargs, uc_stringbuf_t *buf)
 
 				for (i = 0; sfmt + i < fp; i++) {
 					if (sfmt[i] == '.') {
-						pad_size = 1 + atoi(&sfmt[i + 1]);
-						fp = &sfmt[i];
+						for (pad_size = 0, i++; sfmt + i < fp && isdigit(sfmt[i]); i++)
+							pad_size = pad_size * 10 + (sfmt[i] - '0');
+						pad_size++;
+						fp = &sfmt[i-1];
 						break;
 					}
 				}
author	Jo-Philipp Wich <jo@mein.io>	2021-10-22 20:06:29 +0200
committer	Jo-Philipp Wich <jo@mein.io>	2021-10-22 20:21:49 +0200
commit	9041e2403d98fdb54206c23bd684a7da6fb63026 (patch)
tree	2d5d6c693ae0b8cbcfcdeebdbb8f4e719d1ff04f
parent	496b4f3c371f19b955d260fb1c8c8ba819f6a7b2 (diff)