[PATCH v4 2/2] lib/vsprintf: Limit the returning size to INT_MAX

Next message: Pengpeng Hou: "[PATCH] fs: dlm: keep room for the final NUL in comm_addr_list_show()"
Previous message: Masami Hiramatsu (Google): "[PATCH v13 4/4] ring-buffer: Add persistent ring buffer selftest"
In reply to: Google: "Re: [PATCH v4 1/2] lib/vsprintf: Fix to check field_width and precision"
Next in thread: Andrew Morton: "Re: [PATCH v4 0/2] lib/vsprintf: Fixes size check"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Masami Hiramatsu (Google)

Date: Tue Mar 24 2026 - 22:29:46 EST

From: Masami Hiramatsu (Google) <mhiramat@xxxxxxxxxx>

The return value of vsnprintf() can overflow INT_MAX and return
a minus value. In the @size is checked input overflow, but it does
not check the output, which is expected required size.

This should never happen but it should be checked and limited.

Signed-off-by: Masami Hiramatsu (Google) <mhiramat@xxxxxxxxxx>
Reviewed-by: Petr Mladek <pmladek@xxxxxxxx>
---
Changes in v4:
- Add Petr's reviewed-by. (Thanks!)
Changes in v3:
- Use local variable for better readability.
---
lib/vsprintf.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/lib/vsprintf.c b/lib/vsprintf.c
index 5fa8f69030be..351b6f8e4796 100644
--- a/lib/vsprintf.c
+++ b/lib/vsprintf.c
@@ -2859,6 +2859,7 @@ static unsigned long long convert_num_spec(unsigned int val, int size, struct pr
int vsnprintf(char *buf, size_t size, const char *fmt_str, va_list args)
{
char *str, *end;
+ size_t ret_size;
struct printf_spec spec = {0};
struct fmt fmt = {
.str = fmt_str,
@@ -2978,8 +2979,12 @@ int vsnprintf(char *buf, size_t size, const char *fmt_str, va_list args)
}

/* the trailing null byte doesn't count towards the total */
- return str-buf;
+ ret_size = str - buf;

+ /* Make sure the return value is within the positive integer range */
+ if (WARN_ON_ONCE(ret_size > INT_MAX))
+ ret_size = INT_MAX;
+ return ret_size;
}
EXPORT_SYMBOL(vsnprintf);