printf: Format String Parsing Overflow Causes Panic

sylvestre · sylvestre · commit 0b63ffca5c53 · 2025-12-18T18:30:21.000+01:00
Closes: uutils#9697
diff --git a/src/uucore/src/lib/features/format/spec.rs b/src/uucore/src/lib/features/format/spec.rs
@@ -595,14 +595,10 @@ fn eat_number(rest: &mut &[u8], index: &mut usize) -> Option<usize> {
     match rest[*index..].iter().position(|b| !b.is_ascii_digit()) {
         None | Some(0) => None,
         Some(i) => {
-            // TODO: This might need to handle errors better
-            // For example in case of overflow.
-            let parsed = std::str::from_utf8(&rest[*index..(*index + i)])
-                .unwrap()
-                .parse()
-                .unwrap();
+            // Handle large numbers that would cause overflow
+            let num_str = std::str::from_utf8(&rest[*index..(*index + i)]).unwrap();
             *index += i;
-            Some(parsed)
+            Some(num_str.parse().unwrap_or(usize::MAX))
         }
     }
 }
diff --git a/tests/by-util/test_printf.rs b/tests/by-util/test_printf.rs
@@ -1482,3 +1482,13 @@ fn test_large_width_format() {
             .stdout_is("");
     }
 }
+
+#[test]
+fn test_extreme_field_width_overflow() {
+    // Test the specific case that was causing panic due to integer overflow
+    // in the field width parsing.
+    new_ucmd!()
+        .args(&["%999999999999999999999999d", "1"])
+        .fails_with_code(1)
+        .stderr_only("printf: write error\n");
+}

Original file line number	Diff line number	Diff line change
`@@ -595,14 +595,10 @@ fn eat_number(rest: &mut &[u8], index: &mut usize) -> Option<usize> {`
`595`	`595`	`match rest[*index..].iter().position(\|b\| !b.is_ascii_digit()) {`
`596`	`596`	`None \| Some(0) => None,`
`597`	`597`	`Some(i) => {`
`598`		`- // TODO: This might need to handle errors better`
`599`		`- // For example in case of overflow.`
`600`		`- let parsed = std::str::from_utf8(&rest[index..(index + i)])`
`601`		`- .unwrap()`
`602`		`- .parse()`
`603`		`- .unwrap();`
	`598`	`+ // Handle large numbers that would cause overflow`
	`599`	`+ let num_str = std::str::from_utf8(&rest[index..(index + i)]).unwrap();`
`604`	`600`	`*index += i;`
`605`		`- Some(parsed)`
	`601`	`+ Some(num_str.parse().unwrap_or(usize::MAX))`
`606`	`602`	`}`
`607`	`603`	`}`
`608`	`604`	`}`
Original file line number	Diff line number	Diff line change
`@@ -1482,3 +1482,13 @@ fn test_large_width_format() {`
`1482`	`1482`	`.stdout_is("");`
`1483`	`1483`	`}`
`1484`	`1484`	`}`
	`1485`	`+`
	`1486`	`+#[test]`
	`1487`	`+fn test_extreme_field_width_overflow() {`
	`1488`	`+ // Test the specific case that was causing panic due to integer overflow`
	`1489`	`+ // in the field width parsing.`
	`1490`	`+ new_ucmd!()`
	`1491`	`+ .args(&["%999999999999999999999999d", "1"])`
	`1492`	`+ .fails_with_code(1)`
	`1493`	`+ .stderr_only("printf: write error\n");`
	`1494`	`+}`