fix(libc): limit snprintf radix value

In our unsigned_num_print() function we first print the integer into a local buffer, then put this through alignment and padding and output the result. For this we use a local buffer, sized by the maximum possible length of the largest possible number. However this assumes that the radix is not smaller than 10, which is indeed the smallest value we pass into this static function at the moment. To prevent accidents in the future, should we add support for other radices, add an assert to enforce our assumption. Unfortunately this cannot be a static assert (CASSERT), since the compiler is not smart enough to see that the argument is always coming from a literal. Change-Id: Ic204462600d9f4c281d899cf9f2c698a0a33a874 Signed-off-by: Andre Przywara <andre.przywara@arm.com>
2025-04-17 10:04:26 +00:00 · 2022-01-24 18:16:10 +00:00 · 2022-01-24 18:16:10 +00:00 · b30dd4030d
commit b30dd4030d
parent c1f5a0925d
1 changed files with 6 additions and 0 deletions
--- a/lib/libc/snprintf.c
+++ b/lib/libc/snprintf.c
@ -40,6 +40,12 @@ static void unsigned_num_print(char **s, size_t n, size_t *chars_printed,
 	unsigned int rem;
 	char ascii_a = capitalise ? 'A' : 'a';

+	if (radix < 10) {
+		ERROR("snprintf: unsupported radix '%d'.", radix);
+		plat_panic_handler();
+		assert(0); /* Unreachable */
+	}
+
 	do {
 		rem = unum % radix;
 		if (rem < 10U) {