Tidy up __strtosignal(): pass a buffer and length to its itoa() and

make sure we can't underrun this buffer.  Also force NUL-termination
of this buffer, and ensure that large unsigned integers are printed
correctly.

Started by a diff from Dave Hines, openbsd (at) dph (dot) fluff (dot)
org; thanks.

with and ok otto@

1 files changed, 12 insertions, 8 deletions

diff --git a/src/lib/libc/string/__strsignal.c b/src/lib/libc/string/__strsignal.c
index ebbf08d24a..09054a9517 100644
--- a/src/lib/libc/string/__strsignal.c
+++ b/src/lib/libc/string/__strsignal.c
@@ -28,7 +28,7 @@
  */
 
 #if defined(LIBC_SCCS) && !defined(lint)
-static char *rcsid = "$OpenBSD: __strsignal.c,v 1.9 2005/03/30 20:13:52 otto Exp $";
+static char *rcsid = "$OpenBSD: __strsignal.c,v 1.10 2005/05/01 19:39:02 tom Exp $";
 #endif /* LIBC_SCCS and not lint */
 
 #ifdef NLS
@@ -45,17 +45,18 @@ static char *rcsid = "$OpenBSD: __strsignal.c,v 1.9 2005/03/30 20:13:52 otto Exp
 #include <signal.h>
 #include <string.h>
 
-static char *itoa(int num)
+static char *
+itoa(char *buffer, size_t buffer_size, unsigned int num)
 {
-        static char buffer[11];
-        char *p;
+        char *p = buffer + buffer_size;
 
-        p = buffer + 4;
-        while (num >= 10) {
+        *--p = '\0';
+        while (num >= 10 && p > buffer + 1) {
                 *--p = (num % 10) + '0';
                 num /= 10;
         }
-        *p = (num % 10) + '0';
+        /* num < 10 || p == buffer + 1 */
+        *--p = (num % 10) + '0';
         return p;
 }
 
@@ -79,12 +80,15 @@ __strsignal(int num, char *buf)
                 return((char *)sys_siglist[signum]);
 #endif
         } else {
+#define MAXINTDIGS 11
+                char str[MAXINTDIGS];
+
 #ifdef NLS
                 strlcpy(buf, catgets(catd, 1, 0xffff, UPREFIX), NL_TEXTMAX);
 #else
                 strlcpy(buf, UPREFIX, NL_TEXTMAX);
 #endif
-                strlcat(buf, itoa(signum), NL_TEXTMAX);
+                strlcat(buf, itoa(str, sizeof(str), signum), NL_TEXTMAX);
         }
 
 #ifdef NLS