From 17c48a60b8f51e627fc1a1bc3805a80b7bdf6d8d Mon Sep 17 00:00:00 2001
From: Ondřej Bílka <neleai@seznam.cz>
Date: Mon, 14 Oct 2013 17:15:08 +0200
Subject: Fix error_tail overflow in allocation calculation.

---
 ChangeLog    |  5 +++++
 NEWS         | 10 +++++-----
 misc/error.c |  2 +-
 3 files changed, 11 insertions(+), 6 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index 3905a29b1f..6a9568330c 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,8 @@
+2013-10-14   Ondřej Bílka  <neleai@seznam.cz>
+
+	[BZ #15672]
+	* misc/error.c (error_tail): Fix possible buffer overflow.
+
 2013-10-14  Aurelien Jarno  <aurelien@aurel32.net>
 
 	[BZ #13028]
diff --git a/NEWS b/NEWS
index 156e98891f..48bbb02285 100644
--- a/NEWS
+++ b/NEWS
@@ -11,11 +11,11 @@ Version 2.19
 
   156, 431, 832, 13028, 13982, 13985, 14155, 14547, 14699, 14910, 15048,
   15362, 15400, 15427, 15522, 15531, 15532, 15608, 15609, 15610, 15632,
-  15640, 15680, 15681, 15723, 15734, 15735, 15736, 15748, 15749, 15754,
-  15760, 15764, 15797, 15844, 15847, 15849, 15855, 15856, 15857, 15859,
-  15867, 15886, 15887, 15890, 15892, 15893, 15895, 15897, 15905, 15909,
-  15867, 15886, 15887, 15890, 15892, 15893, 15895, 15897, 15905, 15909,
-  15919, 15921, 15923, 15939, 15963, 15966, 15988, 16032, 16034, 16036.
+  15640, 15672, 15680, 15681, 15723, 15734, 15735, 15736, 15748, 15749,
+  15754, 15760, 15764, 15797, 15844, 15847, 15849, 15855, 15856, 15857,
+  15859, 15867, 15886, 15887, 15890, 15892, 15893, 15895, 15897, 15905,
+  15909, 15919, 15921, 15923, 15939, 15963, 15966, 15988, 16032, 16034,
+  16036.
 
 * CVE-2012-4412 The strcoll implementation caches indices and rules for
   large collation sequences to optimize multiple passes.  This cache
diff --git a/misc/error.c b/misc/error.c
index c8e62cf9b4..408a1ab25e 100644
--- a/misc/error.c
+++ b/misc/error.c
@@ -165,7 +165,7 @@ error_tail (int status, int errnum, const char *message, va_list args)
 	  if (res != len)
 	    break;
 
-	  if (__builtin_expect (len >= SIZE_MAX / 2, 0))
+	  if (__builtin_expect (len >= SIZE_MAX / sizeof (wchar_t) / 2, 0))
 	    {
 	      /* This really should not happen if everything is fine.  */
 	      res = (size_t) -1;
-- 
cgit 1.4.1