diff options
author | Andreas Schwab <schwab@redhat.com> | 2009-09-29 06:11:59 -0700 |
---|---|---|
committer | Ulrich Drepper <drepper@redhat.com> | 2009-09-29 06:11:59 -0700 |
commit | 199eb0de8d673fb23aa127721054b4f1803d61f3 (patch) | |
tree | 0234b688e8ee6f68ceb310d58753a934eac2a74b /stdio-common/printf_fp.c | |
parent | 9d076f21cdf5f7bb2293498ed22330bb02c0a68d (diff) | |
download | glibc-199eb0de8d673fb23aa127721054b4f1803d61f3.tar.gz glibc-199eb0de8d673fb23aa127721054b4f1803d61f3.tar.xz glibc-199eb0de8d673fb23aa127721054b4f1803d61f3.zip |
Check for integer overflows in formatting functions
Diffstat (limited to 'stdio-common/printf_fp.c')
-rw-r--r-- | stdio-common/printf_fp.c | 11 |
1 files changed, 9 insertions, 2 deletions
diff --git a/stdio-common/printf_fp.c b/stdio-common/printf_fp.c index cd3ada6441..b60ddecef0 100644 --- a/stdio-common/printf_fp.c +++ b/stdio-common/printf_fp.c @@ -891,8 +891,15 @@ ___printf_fp (FILE *fp, it is possible that we need two more characters in front of all the other output. If the amount of memory we have to allocate is too large use `malloc' instead of `alloca'. */ - size_t wbuffer_to_alloc = (2 + (size_t) chars_needed) * sizeof (wchar_t); - buffer_malloced = ! __libc_use_alloca (chars_needed * 2 * sizeof (wchar_t)); + if (__builtin_expect (chars_needed >= (size_t) -1 / sizeof (wchar_t) - 2 + || chars_needed < fracdig_max, 0)) + { + /* Some overflow occurred. */ + __set_errno (ERANGE); + return -1; + } + size_t wbuffer_to_alloc = (2 + chars_needed) * sizeof (wchar_t); + buffer_malloced = ! __libc_use_alloca (wbuffer_to_alloc); if (__builtin_expect (buffer_malloced, 0)) { wbuffer = (wchar_t *) malloc (wbuffer_to_alloc); |