+2015-12-30 Paul Pluzhnikov <ppluzhnikov@google.com>
+
+ [BZ #17269]
+ * libio/wstrops.c (_IO_wstr_overflow): Guard against integer overflow
+ (enlarge_userbuf): Likewise.
+
2015-12-30 Andreas Schwab <schwab@suse.de>
[BZ #18032]
* The following bugs are resolved with this release:
15073, 15128, 15909, 15996, 16150, 16169, 16387, 16510, 16885, 16916,
- 16943, 16958, 18032, 18928, 19018.
+ 16943, 16958, 17269, 18032, 18928, 19018.
* The LD_POINTER_GUARD environment variable can no longer be used to
disable the pointer guard feature. It is always enabled.
wchar_t *old_buf = fp->_wide_data->_IO_buf_base;
size_t old_wblen = _IO_wblen (fp);
_IO_size_t new_size = 2 * old_wblen + 100;
- if (new_size < old_wblen)
+
+ if (__glibc_unlikely (new_size < old_wblen)
+ || __glibc_unlikely (new_size > SIZE_MAX / sizeof (wchar_t)))
return EOF;
+
new_buf
= (wchar_t *) (*((_IO_strfile *) fp)->_s._allocate_buffer) (new_size
* sizeof (wchar_t));
return 1;
_IO_size_t newsize = offset + 100;
+ if (__glibc_unlikely (newsize > SIZE_MAX / sizeof (wchar_t)))
+ return 1;
+
wchar_t *oldbuf = wd->_IO_buf_base;
wchar_t *newbuf
= (wchar_t *) (*((_IO_strfile *) fp)->_s._allocate_buffer) (newsize
projects / thirdparty / glibc.git / commitdiff
