[PATCH 1/1] lib/vsprintf.c: fix integer overflow in vsprintf

[Ying-Chun Liu (PaulLiu)]

From: Tom Cherry <tomche...@google.com>

vsnprintf_internal() adds 'size' to 'buf' and vsprintf() sets 'size'
to 'INT_MAX' which can overflow.  This causes sprintf() to fail when
initializing the environment on 8GB.

Instead of using 'INT_MAX', we use SIZE_MAX - buf, which is the
largest possible string that could fit without overflowing 'size'.

Signed-off-by: Tom Cherry <tomche...@google.com>
[ Paul: pick from the Android tree. Rebase to the upstream ]
Signed-off-by: Ying-Chun Liu (PaulLiu) <paul....@linaro.org>
Cc: Tom Rini <tr...@konsulko.com>
Link: 
https://android.googlesource.com/platform/external/u-boot/+/43aae5d4415e0f9d744fb798acd52429d09957ce
---
 lib/vsprintf.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/lib/vsprintf.c b/lib/vsprintf.c
index 2d13e68b57..cd89c56a8f 100644
--- a/lib/vsprintf.c
+++ b/lib/vsprintf.c
@@ -794,7 +794,12 @@ int scnprintf(char *buf, size_t size, const char *fmt, ...)
  */
 int vsprintf(char *buf, const char *fmt, va_list args)
 {
-       return vsnprintf_internal(buf, INT_MAX, fmt, args);
+       /* vsnprintf_internal adds size to buf, so use a size that won't
+        * overflow.
+        */
+       size_t max_size = SIZE_MAX - (size_t)buf;
+
+       return vsnprintf_internal(buf, max_size, fmt, args);
 }
 
 int sprintf(char *buf, const char *fmt, ...)
-- 
2.39.2