diff options
author | Ondřej Bílka <neleai@seznam.cz> | 2014-01-07 12:02:15 +0100 |
---|---|---|
committer | Ondřej Bílka <neleai@seznam.cz> | 2014-01-07 12:05:32 +0100 |
commit | 94c8a4bc574c58f90a41c5a0fd719608741d3bae (patch) | |
tree | 1b9f968b4cf217ddf84b6bec9b9ed273f8222c48 /stdio-common | |
parent | b513cbf751bc891f5f9dce96fba4a5b295f8f840 (diff) | |
download | glibc-94c8a4bc574c58f90a41c5a0fd719608741d3bae.tar.gz glibc-94c8a4bc574c58f90a41c5a0fd719608741d3bae.tar.xz glibc-94c8a4bc574c58f90a41c5a0fd719608741d3bae.zip |
Fix integer overflow in vfwprintf. Fixes bug 14286.
Diffstat (limited to 'stdio-common')
-rw-r--r-- | stdio-common/vfprintf.c | 8 |
1 files changed, 7 insertions, 1 deletions
diff --git a/stdio-common/vfprintf.c b/stdio-common/vfprintf.c index 115beabdfb..f7e5f61cc8 100644 --- a/stdio-common/vfprintf.c +++ b/stdio-common/vfprintf.c @@ -1067,7 +1067,13 @@ vfprintf (FILE *s, const CHAR_T *format, va_list ap) /* Allocate dynamically an array which definitely is long \ enough for the wide character version. Each byte in the \ multi-byte string can produce at most one wide character. */ \ - if (__libc_use_alloca (len * sizeof (wchar_t))) \ + if (__glibc_unlikely (len > SIZE_MAX / sizeof (wchar_t))) \ + { \ + __set_errno (EOVERFLOW); \ + done = -1; \ + goto all_done; \ + } \ + else if (__libc_use_alloca (len * sizeof (wchar_t))) \ string = (CHAR_T *) alloca (len * sizeof (wchar_t)); \ else if ((string = (CHAR_T *) malloc (len * sizeof (wchar_t))) \ == NULL) \ |