[PATCH v3 2/2] lib/vsprintf: Limit the returning size to INT_MAX

Next message: Gabor Juhos: "[PATCH phy-fixes] phy: marvell: mvebu-a3700-utmi: fix incorrect USB2_PHY_CTRL register access"
Previous message: Masami Hiramatsu (Google): "[PATCH v3 1/2] lib/vsprintf: Fix to check field_width and precision"
In reply to: David Laight: "Re: [PATCH v3 1/2] lib/vsprintf: Fix to check field_width and precision"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Masami Hiramatsu (Google)

Date: Sat Mar 21 2026 - 10:42:36 EST

From: Masami Hiramatsu (Google) <mhiramat@xxxxxxxxxx>

The return value of vsnprintf() can overflow INT_MAX and return
a minus value. In the @size is checked input overflow, but it does
not check the output, which is expected required size.

This should never happen but it should be checked and limited.

Signed-off-by: Masami Hiramatsu (Google) <mhiramat@xxxxxxxxxx>
---
Changes in v3:
- Use local variable for better readability.
---
lib/vsprintf.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/lib/vsprintf.c b/lib/vsprintf.c
index ce9cbe071ab2..396021a50355 100644
--- a/lib/vsprintf.c
+++ b/lib/vsprintf.c
@@ -2866,6 +2866,7 @@ static unsigned long long convert_num_spec(unsigned int val, int size, struct pr
int vsnprintf(char *buf, size_t size, const char *fmt_str, va_list args)
{
char *str, *end;
+ size_t ret_size;
struct printf_spec spec = {0};
struct fmt fmt = {
.str = fmt_str,
@@ -2985,8 +2986,12 @@ int vsnprintf(char *buf, size_t size, const char *fmt_str, va_list args)
}

/* the trailing null byte doesn't count towards the total */
- return str-buf;
+ ret_size = str - buf;

+ /* Make sure the return value is within the positive integer range */
+ if (WARN_ON_ONCE(ret_size > INT_MAX))
+ ret_size = INT_MAX;
+ return ret_size;
}
EXPORT_SYMBOL(vsnprintf);