about summary refs log tree commit diff
diff options
context:
space:
mode:
-rw-r--r--ChangeLog7
-rw-r--r--NEWS8
-rw-r--r--libio/iogetdelim.c3
3 files changed, 13 insertions, 5 deletions
diff --git a/ChangeLog b/ChangeLog
index 89e60c0ffb..9a041eb807 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,10 @@
+2012-09-04  Joseph Myers  <joseph@codesourcery.com>
+
+	[BZ #9914]
+	* libio/iogetdelim.c: Include <limits.h>.
+	(_IO_getdelim): Avoid integer overflow in testing whether cur_len
+	+ len + 1 would overflow.
+
 2012-09-03  Andreas Jaeger  <aj@suse.de>
 
 	* sysdeps/x86_64/fpu/libm-test-ulps: Update.
diff --git a/NEWS b/NEWS
index e0dcdf4696..9a58c6db21 100644
--- a/NEWS
+++ b/NEWS
@@ -9,10 +9,10 @@ Version 2.17
 
 * The following bugs are resolved with this release:
 
-  3479, 5400, 6778, 6808, 9685, 11607, 13412, 13717, 13696, 13939, 14042,
-  14090, 14166, 14150, 14151, 14154, 14157, 14166, 14173, 14195, 14252,
-  14283, 14298, 14303, 14307, 14328, 14331, 14336, 14337, 14347, 14349,
-  14459, 14476, 14505, 14516, 14519, 14532, 14538
+  3479, 5400, 6778, 6808, 9685, 9914, 11607, 13412, 13717, 13696, 13939,
+  14042, 14090, 14166, 14150, 14151, 14154, 14157, 14166, 14173, 14195,
+  14252, 14283, 14298, 14303, 14307, 14328, 14331, 14336, 14337, 14347,
+  14349, 14459, 14476, 14505, 14516, 14519, 14532, 14538
 
 * Support for STT_GNU_IFUNC symbols added for s390 and s390x.
   Optimized versions of memcpy, memset, and memcmp added for System z10 and
diff --git a/libio/iogetdelim.c b/libio/iogetdelim.c
index 405b65f1e1..bf4b0f776a 100644
--- a/libio/iogetdelim.c
+++ b/libio/iogetdelim.c
@@ -29,6 +29,7 @@
 #include "libioP.h"
 #include <string.h>
 #include <errno.h>
+#include <limits.h>
 
 /* Read up to (and including) a TERMINATOR from FP into *LINEPTR
    (and null-terminate it).  *LINEPTR is a pointer returned from malloc (or
@@ -89,7 +90,7 @@ _IO_getdelim (lineptr, n, delimiter, fp)
       t = (char *) memchr ((void *) fp->_IO_read_ptr, delimiter, len);
       if (t != NULL)
 	len = (t - fp->_IO_read_ptr) + 1;
-      if (__builtin_expect (cur_len + len + 1 < 0, 0))
+      if (__builtin_expect (len >= SSIZE_MAX - cur_len, 0))
 	{
 	  __set_errno (EOVERFLOW);
 	  result = -1;