From 131d656c23436332fbdb0085d44df76a99ad7a9b Mon Sep 17 00:00:00 2001 From: goldsimon Date: Thu, 20 Apr 2017 21:57:03 +0200 Subject: [PATCH] lwip_itoa: check 'bufsize' instead of ignoring it; ensure code is not stolen from GPL --- src/core/def.c | 55 ++++++++++++++++++++++++++++++++++---------------- 1 file changed, 38 insertions(+), 17 deletions(-) diff --git a/src/core/def.c b/src/core/def.c index 8125313f..ee66eace 100644 --- a/src/core/def.c +++ b/src/core/def.c @@ -197,26 +197,47 @@ lwip_strnicmp(const char* str1, const char* str2, size_t len) void lwip_itoa(char* result, size_t bufsize, int number) { - const int base = 10; - char* ptr = result, *ptr1 = result, tmp_char; - int tmp_value; - LWIP_UNUSED_ARG(bufsize); + char *res = result; + char *tmp = result; + size_t res_left = bufsize; + size_t result_len; + int n = (number > 0) ? number : -number; - do { - tmp_value = number; - number /= base; - *ptr++ = "zyxwvutsrqponmlkjihgfedcba9876543210123456789abcdefghijklmnopqrstuvwxyz"[35 + (tmp_value - number * base)]; - } while(number); + /* handle invalid bufsize */ + if (bufsize < 2) { + if (bufsize == 1) { + *result = 0; + } + return; + } - /* Apply negative sign */ - if (tmp_value < 0) { - *ptr++ = '-'; + /* ensure output string is zero terminated */ + result[bufsize-1] = 0; + result_len = 1; + /* create the string in a temporary buffer since we don't know how long + it will get */ + tmp = &result[bufsize-2]; + while ((n != 0) && (result_len < (result_len - 1))) { + char val = '0' + (n % 10); + *tmp = val; + tmp--; + n = n / 10; + result_len++; } - *ptr-- = '\0'; - while(ptr1 < ptr) { - tmp_char = *ptr; - *ptr--= *ptr1; - *ptr1++ = tmp_char; + + /* output sign first */ + if (number < 0) { + *res = '-'; + res++; + res_left--; } + if (result_len > res_left) { + /* buffer is too small */ + result[0] = '.'; + result[1] = 0; + return; + } + /* copy from temporary buffer to output buffer */ + memmove(res, tmp+1, result_len); } #endif