From 8b3e678ace1926c9c9521c5eeae823bc37952fca Mon Sep 17 00:00:00 2001
From: Paul Smith <psmith@gnu.org>
Date: Mon, 21 Feb 2022 09:29:41 -0500
Subject: [PATCH] Ensure buffers are large enough for integer values

Issue raised by Sergei Trofimovich <siarheit@google.com>

* src/makeint.h (INTSTR_LENGTH): Update for unsigned values.
* src/function.c (func_lastword): Use INTSTR_LENGTH as buffer size.
(shell_function_completed): Ditto.
(func_call): Ditto.
* src/remote-cstms.c (start_remote_job): Ditto.
---
 src/function.c     | 12 ++++++------
 src/makeint.h      |  2 +-
 src/remote-cstms.c |  3 ++-
 3 files changed, 9 insertions(+), 8 deletions(-)

diff --git a/src/function.c b/src/function.c
index 89bbc327..38ab9667 100644
--- a/src/function.c
+++ b/src/function.c
@@ -738,14 +738,14 @@ func_lastword (char *o, char **argv, const char *funcname UNUSED)
 static char *
 func_words (char *o, char **argv, const char *funcname UNUSED)
 {
-  int i = 0;
+  unsigned int i = 0;
   const char *word_iterator = argv[0];
-  char buf[20];
+  char buf[INTSTR_LENGTH];
 
   while (find_next_token (&word_iterator, NULL) != 0)
     ++i;
 
-  sprintf (buf, "%d", i);
+  sprintf (buf, "%u", i);
   o = variable_buffer_output (o, buf, strlen (buf));
 
   return o;
@@ -1615,7 +1615,7 @@ static int shell_function_completed;
 void
 shell_completed (int exit_code, int exit_sig)
 {
-  char buf[256];
+  char buf[INTSTR_LENGTH];
 
   shell_function_pid = 0;
   if (exit_sig == 0 && exit_code == 127)
@@ -2763,7 +2763,7 @@ func_call (char *o, char **argv, const char *funcname UNUSED)
 
   for (i=0; *argv; ++i, ++argv)
     {
-      char num[11];
+      char num[INTSTR_LENGTH];
 
       sprintf (num, "%d", i);
       define_variable (num, strlen (num), *argv, o_automatic, 0);
@@ -2776,7 +2776,7 @@ func_call (char *o, char **argv, const char *funcname UNUSED)
 
   for (; i < max_args; ++i)
     {
-      char num[11];
+      char num[INTSTR_LENGTH];
 
       sprintf (num, "%d", i);
       define_variable (num, strlen (num), "", o_automatic, 0);
diff --git a/src/makeint.h b/src/makeint.h
index d3660b6a..fce1afe1 100644
--- a/src/makeint.h
+++ b/src/makeint.h
@@ -491,7 +491,7 @@ extern struct rlimit stack_limit;
    integers as a string.
    Does NOT include space for \0 so be sure to add it if needed.
    Math suggested by Edward Welbourne <edward.welbourne@qt.io>  */
-#define INTSTR_LENGTH   (53 * sizeof(uintmax_t) / 22 + 2)
+#define INTSTR_LENGTH   (53 * sizeof(uintmax_t) / 22 + 3)
 
 #define DEFAULT_TTYNAME "true"
 #ifdef HAVE_TTYNAME
diff --git a/src/remote-cstms.c b/src/remote-cstms.c
index 8f162abd..3602a27e 100644
--- a/src/remote-cstms.c
+++ b/src/remote-cstms.c
@@ -232,7 +232,8 @@ start_remote_job (char **argv, char **envp, int stdin_fd,
   else if (pid == 0)
     {
       /* Child side.  Run 'export' to handle the connection.  */
-      static char sock_buf[20], retsock_buf[20], id_buf[20];
+      static char sock_buf[INTSTR_LENGTH], retsock_buf[INTSTR_LENGTH];
+      static char id_buf[INTSTR_LENGTH];
       static char *new_argv[6] =
         { EXPORT_COMMAND, "-id", sock_buf, retsock_buf, id_buf, 0 };