Fix integer overflow in vfwprintf. Fixes bug 14286.

author: Ondřej Bílka <neleai@seznam.cz> 2014-01-07 12:02:15 +0100
committer: Ondřej Bílka <neleai@seznam.cz> 2014-01-07 12:05:32 +0100
commit: 94c8a4bc574c58f90a41c5a0fd719608741d3bae (patch)
tree: 1b9f968b4cf217ddf84b6bec9b9ed273f8222c48 /stdio-common
parent: b513cbf751bc891f5f9dce96fba4a5b295f8f840 (diff)
download: glibc-94c8a4bc574c58f90a41c5a0fd719608741d3bae.zip
glibc-94c8a4bc574c58f90a41c5a0fd719608741d3bae.tar.gz
glibc-94c8a4bc574c58f90a41c5a0fd719608741d3bae.tar.bz2
1 files changed, 7 insertions, 1 deletions
diff --git a/stdio-common/vfprintf.c b/stdio-common/vfprintf.c
index 115beab..f7e5f61 100644
--- a/stdio-common/vfprintf.c
+++ b/stdio-common/vfprintf.c
@@ -1067,7 +1067,13 @@ vfprintf (FILE *s, const CHAR_T *format, va_list ap)
 	    /* Allocate dynamically an array which definitely is long	      \
 	       enough for the wide character version.  Each byte in the	      \
 	       multi-byte string can produce at most one wide character.  */  \
-	    if (__libc_use_alloca (len * sizeof (wchar_t)))		      \
+	    if (__glibc_unlikely (len > SIZE_MAX / sizeof (wchar_t)))	      \
+	      {								      \
+		__set_errno (EOVERFLOW);				      \
+		done = -1;						      \
+		goto all_done;						      \
+	      }								      \
+	    else if (__libc_use_alloca (len * sizeof (wchar_t)))	      \
 	      string = (CHAR_T *) alloca (len * sizeof (wchar_t));	      \
 	    else if ((string = (CHAR_T *) malloc (len * sizeof (wchar_t)))    \
 		     == NULL)						      \
author	Ondřej Bílka <neleai@seznam.cz>	2014-01-07 12:02:15 +0100
committer	Ondřej Bílka <neleai@seznam.cz>	2014-01-07 12:05:32 +0100
commit	94c8a4bc574c58f90a41c5a0fd719608741d3bae (patch)
tree	1b9f968b4cf217ddf84b6bec9b9ed273f8222c48 /stdio-common
parent	b513cbf751bc891f5f9dce96fba4a5b295f8f840 (diff)
download	glibc-94c8a4bc574c58f90a41c5a0fd719608741d3bae.zip glibc-94c8a4bc574c58f90a41c5a0fd719608741d3bae.tar.gz glibc-94c8a4bc574c58f90a41c5a0fd719608741d3bae.tar.bz2