aboutsummaryrefslogtreecommitdiff
path: root/stdio-common/vfprintf.c
diff options
context:
space:
mode:
authorOndřej Bílka <neleai@seznam.cz>2014-01-07 12:02:15 +0100
committerOndřej Bílka <neleai@seznam.cz>2014-01-07 12:05:32 +0100
commit94c8a4bc574c58f90a41c5a0fd719608741d3bae (patch)
tree1b9f968b4cf217ddf84b6bec9b9ed273f8222c48 /stdio-common/vfprintf.c
parentb513cbf751bc891f5f9dce96fba4a5b295f8f840 (diff)
downloadglibc-94c8a4bc574c58f90a41c5a0fd719608741d3bae.zip
glibc-94c8a4bc574c58f90a41c5a0fd719608741d3bae.tar.gz
glibc-94c8a4bc574c58f90a41c5a0fd719608741d3bae.tar.bz2
Fix integer overflow in vfwprintf. Fixes bug 14286.
Diffstat (limited to 'stdio-common/vfprintf.c')
-rw-r--r--stdio-common/vfprintf.c8
1 files changed, 7 insertions, 1 deletions
diff --git a/stdio-common/vfprintf.c b/stdio-common/vfprintf.c
index 115beab..f7e5f61 100644
--- a/stdio-common/vfprintf.c
+++ b/stdio-common/vfprintf.c
@@ -1067,7 +1067,13 @@ vfprintf (FILE *s, const CHAR_T *format, va_list ap)
/* Allocate dynamically an array which definitely is long \
enough for the wide character version. Each byte in the \
multi-byte string can produce at most one wide character. */ \
- if (__libc_use_alloca (len * sizeof (wchar_t))) \
+ if (__glibc_unlikely (len > SIZE_MAX / sizeof (wchar_t))) \
+ { \
+ __set_errno (EOVERFLOW); \
+ done = -1; \
+ goto all_done; \
+ } \
+ else if (__libc_use_alloca (len * sizeof (wchar_t))) \
string = (CHAR_T *) alloca (len * sizeof (wchar_t)); \
else if ((string = (CHAR_T *) malloc (len * sizeof (wchar_t))) \
== NULL) \