From fcb5a24fd8722c364afbcada74a528641f6e4491 Mon Sep 17 00:00:00 2001
From: tb <tb@openbsd.org>
Date: Tue, 9 Jun 2026 06:00:13 +0000
Subject: [PATCH] Avoid signed overflow in fmt_scaled

Adding the scaled fractional part to whole may result in a signed overflow.
Guard against this by adding checks before subtracting or adding.

problem pointed out by a friend of claudio's
fix looks good to claudio, ok djm
---
 lib/libutil/fmt_scaled.c | 15 ++++++++++++---
 1 file changed, 12 insertions(+), 3 deletions(-)

diff --git a/lib/libutil/fmt_scaled.c b/lib/libutil/fmt_scaled.c
index e320c7f6706..8a3d078657b 100644
--- a/lib/libutil/fmt_scaled.c
+++ b/lib/libutil/fmt_scaled.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: fmt_scaled.c,v 1.25 2026/06/06 23:53:59 djm Exp $	*/
+/*	$OpenBSD: fmt_scaled.c,v 1.26 2026/06/09 06:00:13 tb Exp $	*/
 
 /*
  * Copyright (c) 2001, 2002, 2003 Ian F. Darwin.  All rights reserved.
@@ -210,10 +210,19 @@ scan_scaled(char *scaled, long long *result)
 				fpart /= 10;
 				divs--;
 			}
-			if (sign == -1)
+			if (sign == -1) {
+				if (whole < LLONG_MIN + fpart) {
+					errno = ERANGE;
+					return -1;
+				}
 				whole -= fpart;
-			else
+			} else {
+				if (whole > LLONG_MAX - fpart) {
+					errno = ERANGE;
+					return -1;
+				}
 				whole += fpart;
+			}
 			*result = whole;
 			return 0;
 		}