jyapayne/musl
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

memstreams: fix incorrect handling of file pos > current size

Browse source 
the addition is safe and cannot overflow because both operands are
positive when considered as signed quantities.
This commit is contained in:
Rich Felker 2011-09-04 10:29:04 -04:00
commit 7ee3dcb3c6
2 changed files with 4 additions and 4 deletions
Download patch file Download diff file Expand all files Collapse all files

4
src/stdio/open_memstream.c
View file

@ -32,8 +32,8 @@ static size_t ms_write(FILE *f, const unsigned char *buf, size_t len)
f->wpos = f->wbase;
if (ms_write(f, f->wbase, len2) < len2) return 0;
}
if (len >= c->space - c->pos) {
len2 = 2*c->space+1 | c->space+len+1;
if (len + c->pos >= c->space) {
len2 = 2*c->space+1 | c->pos+len+1;
newbuf = realloc(c->buf, len2);
if (!newbuf) return 0;
*c->bufp = c->buf = newbuf;

4
src/stdio/open_wmemstream.c
View file

@ -30,8 +30,8 @@ static size_t wms_write(FILE *f, const unsigned char *buf, size_t len)
struct cookie *c = f->cookie;
size_t len2;
wchar_t *newbuf;
if (len >= c->space - c->pos) {
len2 = 2*c->space+1 | c->space+len+1;
if (len + c->pos >= c->space) {
len2 = 2*c->space+1 | c->pos+len+1;
if (len2 > SSIZE_MAX/4) return 0;
newbuf = realloc(c->buf, len2*4);
if (!newbuf) return 0;