lib/glibc
1
0
Fork 0
mirror of https://sourceware.org/git/glibc.git synced 2025-08-08 17:42:12 +03:00
Code Activity

Fix integer overflow in vfwprintf. Fixes bug 14286.

Browse Source
This commit is contained in:
Ondřej Bílka
2014-01-07 12:02:15 +01:00
parent b513cbf751
commit 94c8a4bc57
3 changed files with 26 additions and 15 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
stdio-common/vfprintf.c
View File

@@ -1067,7 +1067,13 @@ vfprintf (FILE *s, const CHAR_T *format, va_list ap)
/* Allocate dynamically an array which definitely is long \
enough for the wide character version. Each byte in the \
multi-byte string can produce at most one wide character. */ \
if (__libc_use_alloca (len * sizeof (wchar_t))) \
if (__glibc_unlikely (len > SIZE_MAX / sizeof (wchar_t))) \
{ \
__set_errno (EOVERFLOW); \
done = -1; \
goto all_done; \
} \
else if (__libc_use_alloca (len * sizeof (wchar_t))) \
string = (CHAR_T *) alloca (len * sizeof (wchar_t)); \
else if ((string = (CHAR_T *) malloc (len * sizeof (wchar_t))) \
== NULL) \