This is the mail archive of the libc-alpha@sourceware.org mailing list for the glibc project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

[PATCH v2][BZ #14286] Fix integer overflow in vfwprintf.


On Mon, Oct 21, 2013 at 11:04:42AM +0200, Andreas Schwab wrote:
> OndÅej BÃlka <neleai@seznam.cz> writes:
> 
> > 	[BZ #14286]
> > 	* stdio-common/vfprintf.c: Fix integer overflow.
> 
> s/Fix/Check for/
> 
done.
> > diff --git a/stdio-common/vfprintf.c b/stdio-common/vfprintf.c
> > index 8cd7a85..ba6b6d1 100644
> > --- a/stdio-common/vfprintf.c
> > +++ b/stdio-common/vfprintf.c
> > @@ -1067,7 +1067,12 @@ vfprintf (FILE *s, const CHAR_T *format, va_list ap)
> >  	    /* Allocate dynamically an array which definitely is long	      \
> >  	       enough for the wide character version.  Each byte in the	      \
> >  	       multi-byte string can produce at most one wide character.  */  \
> > -	    if (__libc_use_alloca (len * sizeof (wchar_t)))		      \
> > +	    if (len > SIZE_MAX / sizeof (wchar_t))			      \
> > +	      {								      \
> > +		done = -1;						      \
> > +		goto all_done;						      \
> 
> You need to set errno.  Use __glibc_unlikely.
> 
ok, but errno handling confused me. I copied that from case when malloc
fails that if I read code correctly does not set ENOMEM. Should we add
additional errnos there?


	[BZ #14286]
	* stdio-common/vfprintf.c: Check for integer overflow.

diff --git a/stdio-common/vfprintf.c b/stdio-common/vfprintf.c
index 8cd7a85..42a7bb2 100644
--- a/stdio-common/vfprintf.c
+++ b/stdio-common/vfprintf.c
@@ -1067,7 +1067,13 @@ vfprintf (FILE *s, const CHAR_T *format, va_list ap)
 	    /* Allocate dynamically an array which definitely is long	      \
 	       enough for the wide character version.  Each byte in the	      \
 	       multi-byte string can produce at most one wide character.  */  \
-	    if (__libc_use_alloca (len * sizeof (wchar_t)))		      \
+	    if (__glibc_unlikely (len > SIZE_MAX / sizeof (wchar_t)))	      \
+	      {								      \
+		__set_errno (EOVERFLOW);				      \
+		done = -1;						      \
+		goto all_done;						      \
+	      }								      \
+	    else if (__libc_use_alloca (len * sizeof (wchar_t)))	      \
 	      string = (CHAR_T *) alloca (len * sizeof (wchar_t));	      \
 	    else if ((string = (CHAR_T *) malloc (len * sizeof (wchar_t)))    \
 		     == NULL)						      \


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]