Re: [PATCH v2 2/2] lib/vsprintf: Limit the returning size to INT_MAX

Next message: WANG Rui: "Re: [PATCH v5] binfmt_elf: Align eligible read-only PT_LOAD segments to PMD_SIZE for THP"
Previous message: Sean Chang: "[PATCH v5 4/5] nfs: Refactor nfs_errorf macros and remove unused ones"
In reply to: Petr Mladek: "Re: [PATCH v2 2/2] lib/vsprintf: Limit the returning size to INT_MAX"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Google

Date: Sat Mar 21 2026 - 10:21:12 EST

On Fri, 20 Mar 2026 17:51:48 +0100
Petr Mladek <pmladek@xxxxxxxx> wrote:

> On Fri 2026-03-20 12:54:57, Masami Hiramatsu (Google) wrote:
> > From: Masami Hiramatsu (Google) <mhiramat@xxxxxxxxxx>
> >
> > The return value of vsnprintf() can overflow INT_MAX and return
> > a minus value. In the @size is checked input overflow, but it does
> > not check the output, which is expected required size.
> >
> > This should never happen but it should be checked and limited.
>
> Great catch!
>
> > --- a/lib/vsprintf.c
> > +++ b/lib/vsprintf.c
> > @@ -2985,7 +2985,7 @@ int vsnprintf(char *buf, size_t size, const char *fmt_str, va_list args)
> > }
> >
> > /* the trailing null byte doesn't count towards the total */
> > - return str-buf;
> > + return WARN_ON_ONCE(str - buf > INT_MAX) ? INT_MAX : str - buf;
>
> Is it guaranteed that the pointer arithmetic will be a big enough
> unsigned number type?
>
> I would rather do a cast to be on the safe side, for example:
>
> return WARN_ON_ONCE((size_t)(str - buf) > INT_MAX) ? INT_MAX : str - buf;

OK.

>
> or even use a variable to make it better readable:
>
> size_t ret_size;
>
> ret_size = str - buf;
> if (WARN_ON_ONCE(ret_size > INT_MAX))
> ret_size = INT_MAX;
> return ret_size;

Ah, Indeed. Let me do this.

Thanks!

>
> Best Regards,
> Petr

--
Masami Hiramatsu (Google) <mhiramat@xxxxxxxxxx>