about summary refs log tree commit diff
path: root/stdio-common/vfprintf.c
diff options
context:
space:
mode:
authorOndřej Bílka <neleai@seznam.cz>2014-01-07 12:02:15 +0100
committerOndřej Bílka <neleai@seznam.cz>2014-01-07 12:05:32 +0100
commit94c8a4bc574c58f90a41c5a0fd719608741d3bae (patch)
tree1b9f968b4cf217ddf84b6bec9b9ed273f8222c48 /stdio-common/vfprintf.c
parentb513cbf751bc891f5f9dce96fba4a5b295f8f840 (diff)
downloadglibc-94c8a4bc574c58f90a41c5a0fd719608741d3bae.tar.gz
glibc-94c8a4bc574c58f90a41c5a0fd719608741d3bae.tar.xz
glibc-94c8a4bc574c58f90a41c5a0fd719608741d3bae.zip
Fix integer overflow in vfwprintf. Fixes bug 14286.
Diffstat (limited to 'stdio-common/vfprintf.c')
-rw-r--r--stdio-common/vfprintf.c8
1 files changed, 7 insertions, 1 deletions
diff --git a/stdio-common/vfprintf.c b/stdio-common/vfprintf.c
index 115beabdfb..f7e5f61cc8 100644
--- a/stdio-common/vfprintf.c
+++ b/stdio-common/vfprintf.c
@@ -1067,7 +1067,13 @@ vfprintf (FILE *s, const CHAR_T *format, va_list ap)
 	    /* Allocate dynamically an array which definitely is long	      \
 	       enough for the wide character version.  Each byte in the	      \
 	       multi-byte string can produce at most one wide character.  */  \
-	    if (__libc_use_alloca (len * sizeof (wchar_t)))		      \
+	    if (__glibc_unlikely (len > SIZE_MAX / sizeof (wchar_t)))	      \
+	      {								      \
+		__set_errno (EOVERFLOW);				      \
+		done = -1;						      \
+		goto all_done;						      \
+	      }								      \
+	    else if (__libc_use_alloca (len * sizeof (wchar_t)))	      \
 	      string = (CHAR_T *) alloca (len * sizeof (wchar_t));	      \
 	    else if ((string = (CHAR_T *) malloc (len * sizeof (wchar_t)))    \
 		     == NULL)						      \