This is the mail archive of the
libc-alpha@sourceware.org
mailing list for the glibc project.
[PATCH][BZ #14286] Fix integer overflow in vfwprintf.
- From: OndÅej BÃlka <neleai at seznam dot cz>
- To: libc-alpha at sourceware dot org
- Date: Mon, 21 Oct 2013 10:27:01 +0200
- Subject: [PATCH][BZ #14286] Fix integer overflow in vfwprintf.
- Authentication-results: sourceware.org; auth=none
Hi,
This is another straightforward bug, that is fixed by adding overflow
check.
OK to commit?
[BZ #14286]
* stdio-common/vfprintf.c: Fix integer overflow.
diff --git a/stdio-common/vfprintf.c b/stdio-common/vfprintf.c
index 8cd7a85..ba6b6d1 100644
--- a/stdio-common/vfprintf.c
+++ b/stdio-common/vfprintf.c
@@ -1067,7 +1067,12 @@ vfprintf (FILE *s, const CHAR_T *format, va_list ap)
/* Allocate dynamically an array which definitely is long \
enough for the wide character version. Each byte in the \
multi-byte string can produce at most one wide character. */ \
- if (__libc_use_alloca (len * sizeof (wchar_t))) \
+ if (len > SIZE_MAX / sizeof (wchar_t)) \
+ { \
+ done = -1; \
+ goto all_done; \
+ } \
+ else if (__libc_use_alloca (len * sizeof (wchar_t))) \
string = (CHAR_T *) alloca (len * sizeof (wchar_t)); \
else if ((string = (CHAR_T *) malloc (len * sizeof (wchar_t))) \
== NULL) \