From 60160d83a09c659d8d9338b210ff92be77cc87d5 Mon Sep 17 00:00:00 2001 From: Joseph Myers Date: Tue, 4 Sep 2012 11:24:43 +0000 Subject: Fix iogetdelim.c (latent) integer overflow (bug 9914). --- libio/iogetdelim.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'libio') diff --git a/libio/iogetdelim.c b/libio/iogetdelim.c index 405b65f..bf4b0f7 100644 --- a/libio/iogetdelim.c +++ b/libio/iogetdelim.c @@ -29,6 +29,7 @@ #include "libioP.h" #include #include +#include /* Read up to (and including) a TERMINATOR from FP into *LINEPTR (and null-terminate it). *LINEPTR is a pointer returned from malloc (or @@ -89,7 +90,7 @@ _IO_getdelim (lineptr, n, delimiter, fp) t = (char *) memchr ((void *) fp->_IO_read_ptr, delimiter, len); if (t != NULL) len = (t - fp->_IO_read_ptr) + 1; - if (__builtin_expect (cur_len + len + 1 < 0, 0)) + if (__builtin_expect (len >= SSIZE_MAX - cur_len, 0)) { __set_errno (EOVERFLOW); result = -1; -- cgit v1.1