diff options
author | Rich Felker <dalias@aerifal.cx> | 2011-09-04 10:29:04 -0400 |
---|---|---|
committer | Rich Felker <dalias@aerifal.cx> | 2011-09-04 10:29:04 -0400 |
commit | 7ee3dcb3c603b20fcd4547ffb00e11701c6d1cf4 (patch) | |
tree | de55d7b177cbe5f095ac2745e65e5544254fc067 | |
parent | c88f36f55623124d09f48631974ca38aaec00057 (diff) | |
download | musl-7ee3dcb3c603b20fcd4547ffb00e11701c6d1cf4.tar.gz musl-7ee3dcb3c603b20fcd4547ffb00e11701c6d1cf4.tar.bz2 musl-7ee3dcb3c603b20fcd4547ffb00e11701c6d1cf4.tar.xz musl-7ee3dcb3c603b20fcd4547ffb00e11701c6d1cf4.zip |
memstreams: fix incorrect handling of file pos > current size
the addition is safe and cannot overflow because both operands are
positive when considered as signed quantities.
-rw-r--r-- | src/stdio/open_memstream.c | 4 | ||||
-rw-r--r-- | src/stdio/open_wmemstream.c | 4 |
2 files changed, 4 insertions, 4 deletions
diff --git a/src/stdio/open_memstream.c b/src/stdio/open_memstream.c index 7fc16204..687e818d 100644 --- a/src/stdio/open_memstream.c +++ b/src/stdio/open_memstream.c @@ -32,8 +32,8 @@ static size_t ms_write(FILE *f, const unsigned char *buf, size_t len) f->wpos = f->wbase; if (ms_write(f, f->wbase, len2) < len2) return 0; } - if (len >= c->space - c->pos) { - len2 = 2*c->space+1 | c->space+len+1; + if (len + c->pos >= c->space) { + len2 = 2*c->space+1 | c->pos+len+1; newbuf = realloc(c->buf, len2); if (!newbuf) return 0; *c->bufp = c->buf = newbuf; diff --git a/src/stdio/open_wmemstream.c b/src/stdio/open_wmemstream.c index 0db77416..a830b143 100644 --- a/src/stdio/open_wmemstream.c +++ b/src/stdio/open_wmemstream.c @@ -30,8 +30,8 @@ static size_t wms_write(FILE *f, const unsigned char *buf, size_t len) struct cookie *c = f->cookie; size_t len2; wchar_t *newbuf; - if (len >= c->space - c->pos) { - len2 = 2*c->space+1 | c->space+len+1; + if (len + c->pos >= c->space) { + len2 = 2*c->space+1 | c->pos+len+1; if (len2 > SSIZE_MAX/4) return 0; newbuf = realloc(c->buf, len2*4); if (!newbuf) return 0; |