Check for integer overflows in formatting functions

author: Andreas Schwab <schwab@redhat.com> 2009-09-29 06:11:59 -0700
committer: Ulrich Drepper <drepper@redhat.com> 2009-09-29 06:11:59 -0700
commit: 199eb0de8d673fb23aa127721054b4f1803d61f3 (patch)
tree: 0234b688e8ee6f68ceb310d58753a934eac2a74b /stdio-common/printf_fp.c
parent: 9d076f21cdf5f7bb2293498ed22330bb02c0a68d (diff)
download: glibc-199eb0de8d673fb23aa127721054b4f1803d61f3.tar.gz
1 files changed, 9 insertions, 2 deletions
diff --git a/stdio-common/printf_fp.c b/stdio-common/printf_fp.c
index cd3ada6441..b60ddecef0 100644
--- a/stdio-common/printf_fp.c
+++ b/stdio-common/printf_fp.c
@@ -891,8 +891,15 @@ ___printf_fp (FILE *fp,
        it is possible that we need two more characters in front of all the
        other output.  If the amount of memory we have to allocate is too
        large use `malloc' instead of `alloca'.  */
-    size_t wbuffer_to_alloc = (2 + (size_t) chars_needed) * sizeof (wchar_t);
-    buffer_malloced = ! __libc_use_alloca (chars_needed * 2 * sizeof (wchar_t));
+    if (__builtin_expect (chars_needed >= (size_t) -1 / sizeof (wchar_t) - 2
+			  || chars_needed < fracdig_max, 0))
+      {
+	/* Some overflow occurred.  */
+	__set_errno (ERANGE);
+	return -1;
+      }
+    size_t wbuffer_to_alloc = (2 + chars_needed) * sizeof (wchar_t);
+    buffer_malloced = ! __libc_use_alloca (wbuffer_to_alloc);
     if (__builtin_expect (buffer_malloced, 0))
       {
 	wbuffer = (wchar_t *) malloc (wbuffer_to_alloc);
author	Andreas Schwab <schwab@redhat.com>	2009-09-29 06:11:59 -0700
committer	Ulrich Drepper <drepper@redhat.com>	2009-09-29 06:11:59 -0700
commit	199eb0de8d673fb23aa127721054b4f1803d61f3 (patch)
tree	0234b688e8ee6f68ceb310d58753a934eac2a74b /stdio-common/printf_fp.c
parent	9d076f21cdf5f7bb2293498ed22330bb02c0a68d (diff)
download	glibc-199eb0de8d673fb23aa127721054b4f1803d61f3.tar.gz