Merge commit from fork

* Check return value of cs_vsnprintf for negative values.

This prevents underflow of SStream.index.
This bug was reported by Github user Finder16.

* Add overflow check before adding cs_vsnprintf return value.

Author: Rot127

SStream.c

@@ -236,6 +236,10 @@ void SStream_concat(SStream *ss, const char *fmt, ...)
 	ret = cs_vsnprintf(ss->buffer + ss->index,
 			   sizeof(ss->buffer) - (ss->index + 1), fmt, ap);
 	va_end(ap);
+	if (ret < 0) {
+		return;
+	}
+	SSTREAM_OVERFLOW_CHECK(ss, ret);
 	ss->index += ret;
 	if (ss->markup_stream && ss->prefixed_by_markup) {
 		SSTREAM_OVERFLOW_CHECK(ss, 1);

SStream.h

@@ -18,7 +18,7 @@ typedef enum {
 
 typedef struct SStream {
 	char buffer[SSTREAM_BUF_LEN];
-	int index;
+	size_t index;
 	bool is_closed;
 	bool markup_stream; ///< If true, markups to the stream are allowed.
 	bool prefixed_by_markup; ///< Set after the stream wrote a markup for an operand.

tests/unit/include/unit_test.h

@@ -38,7 +38,7 @@
 #define CHECK_INT_EQUAL_RET_FALSE(a, b) \
 	do { \
 		if (a != b) { \
-			printf("%" PRId32 " != %" PRId32 "\n", a, b); \
+			printf("%zu != %" PRId32 "\n", a, b); \
 			return false; \
 		} \
 	} while (0);

tests/unit/sstream.c

@@ -594,6 +594,35 @@ bool test_replc_str()
 	return true;
 }
 
+static int evil_vsnprintf(char *str, size_t size, const char *fmt, va_list ap)
+{
+	(void)str;
+	(void)size;
+	(void)fmt;
+	(void)ap;
+	return -1; // forces index underflow
+}
+
+/// Possible underflow of SStream.index and subsequent OOB reads/writes.
+/// Reported by Finder16.
+bool test_underflow_in_sstream(void)
+{
+	cs_opt_mem mem = { .malloc = malloc,
+			   .calloc = calloc,
+			   .realloc = realloc,
+			   .free = free,
+			   .vsnprintf = evil_vsnprintf };
+	cs_option(0, CS_OPT_MEM, (size_t)&mem);
+
+	SStream OS;
+	SStream_Init(&OS);
+	SStream_concat(&OS, "%s", "AAAA"); // index += -1
+	SStream_concat1(&OS, 'B'); // writes before buffer => crash/ASan hit
+	CHECK_OS_EQUAL_RET_FALSE(OS, "B");
+	CHECK_INT_EQUAL_RET_FALSE(OS.index, 1);
+	return true;
+}
+
 int main()
 {
 	bool result = true;
@@ -614,6 +643,7 @@ int main()
 	result &= test_replc_str();
 	result &= test_copy_mnem_opstr();
 	result &= test_trimls();
+	result &= test_underflow_in_sstream();
 	if (result) {
 		printf("All tests passed.\n");
 	} else {