diff options
author | Ondřej Bílka <neleai@seznam.cz> | 2014-01-07 12:02:15 +0100 |
---|---|---|
committer | Ondřej Bílka <neleai@seznam.cz> | 2014-01-07 12:05:32 +0100 |
commit | 94c8a4bc574c58f90a41c5a0fd719608741d3bae (patch) | |
tree | 1b9f968b4cf217ddf84b6bec9b9ed273f8222c48 | |
parent | b513cbf751bc891f5f9dce96fba4a5b295f8f840 (diff) | |
download | glibc-94c8a4bc574c58f90a41c5a0fd719608741d3bae.tar.gz glibc-94c8a4bc574c58f90a41c5a0fd719608741d3bae.tar.xz glibc-94c8a4bc574c58f90a41c5a0fd719608741d3bae.zip |
Fix integer overflow in vfwprintf. Fixes bug 14286.
-rw-r--r-- | ChangeLog | 5 | ||||
-rw-r--r-- | NEWS | 28 | ||||
-rw-r--r-- | stdio-common/vfprintf.c | 8 |
3 files changed, 26 insertions, 15 deletions
diff --git a/ChangeLog b/ChangeLog index 50dd9b4af4..be41012fd1 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,8 @@ +2014-01-07 Ondřej Bílka <neleai@seznam.cz> + + [BZ #14286] + * stdio-common/vfprintf.c: Check for integer overflow. + 2014-01-07 Andreas Krebbel <Andreas.Krebbel@de.ibm.com> * sysdeps/s390/dl-tls.h: sysdeps/s390/dl-tls.h: Remove casts for diff --git a/NEWS b/NEWS index ab3b882631..a3030eb163 100644 --- a/NEWS +++ b/NEWS @@ -11,20 +11,20 @@ Version 2.19 156, 387, 431, 762, 832, 926, 2801, 4772, 6786, 6787, 6807, 6810, 7003, 9954, 10253, 10278, 11087, 11157, 11214, 12100, 12486, 12986, 13028, - 13982, 13985, 14029, 14032, 14120, 14143, 14155, 14547, 14699, 14752, - 14876, 14910, 15004, 15048, 15073, 15089, 15128, 15218, 15268, 15277, - 15308, 15362, 15374, 15400, 15425, 15427, 15483, 15522, 15531, 15532, - 15593, 15601, 15608, 15609, 15610, 15632, 15640, 15670, 15672, 15680, - 15681, 15723, 15734, 15735, 15736, 15748, 15749, 15754, 15760, 15763, - 15764, 15797, 15799, 15825, 15843, 15844, 15846, 15847, 15849, 15855, - 15856, 15857, 15859, 15867, 15886, 15887, 15890, 15892, 15893, 15895, - 15897, 15901, 15905, 15909, 15915, 15917, 15919, 15921, 15923, 15939, - 15941, 15948, 15963, 15966, 15985, 15988, 15997, 16032, 16034, 16036, - 16037, 16038, 16041, 16055, 16071, 16072, 16074, 16077, 16078, 16103, - 16112, 16143, 16144, 16146, 16150, 16151, 16153, 16167, 16172, 16195, - 16214, 16245, 16271, 16274, 16283, 16289, 16293, 16314, 16316, 16330, - 16337, 16338, 16356, 16365, 16366, 16369, 16372, 16375, 16379, 16384, - 16385, 16386, 16390, 16400. + 13982, 13985, 14029, 14032, 14120, 14143, 14155, 14286, 14547, 14699, + 14752, 14876, 14910, 15004, 15048, 15073, 15089, 15128, 15218, 15268, + 15277, 15308, 15362, 15374, 15400, 15425, 15427, 15483, 15522, 15531, + 15532, 15593, 15601, 15608, 15609, 15610, 15632, 15640, 15670, 15672, + 15680, 15681, 15723, 15734, 15735, 15736, 15748, 15749, 15754, 15760, + 15763, 15764, 15797, 15799, 15825, 15843, 15844, 15846, 15847, 15849, + 15855, 15856, 15857, 15859, 15867, 15886, 15887, 15890, 15892, 15893, + 15895, 15897, 15901, 15905, 15909, 15915, 15917, 15919, 15921, 15923, + 15939, 15941, 15948, 15963, 15966, 15985, 15988, 15997, 16032, 16034, + 16036, 16037, 16038, 16041, 16055, 16071, 16072, 16074, 16077, 16078, + 16103, 16112, 16143, 16144, 16146, 16150, 16151, 16153, 16167, 16172, + 16195, 16214, 16245, 16271, 16274, 16283, 16289, 16293, 16314, 16316, + 16330, 16337, 16338, 16356, 16365, 16366, 16369, 16372, 16375, 16379, + 16384, 16385, 16386, 16390, 16400. * Slovenian translations for glibc messages have been contributed by the Translation Project's Slovenian team of translators. diff --git a/stdio-common/vfprintf.c b/stdio-common/vfprintf.c index 115beabdfb..f7e5f61cc8 100644 --- a/stdio-common/vfprintf.c +++ b/stdio-common/vfprintf.c @@ -1067,7 +1067,13 @@ vfprintf (FILE *s, const CHAR_T *format, va_list ap) /* Allocate dynamically an array which definitely is long \ enough for the wide character version. Each byte in the \ multi-byte string can produce at most one wide character. */ \ - if (__libc_use_alloca (len * sizeof (wchar_t))) \ + if (__glibc_unlikely (len > SIZE_MAX / sizeof (wchar_t))) \ + { \ + __set_errno (EOVERFLOW); \ + done = -1; \ + goto all_done; \ + } \ + else if (__libc_use_alloca (len * sizeof (wchar_t))) \ string = (CHAR_T *) alloca (len * sizeof (wchar_t)); \ else if ((string = (CHAR_T *) malloc (len * sizeof (wchar_t))) \ == NULL) \ |