summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorRich Felker <dalias@aerifal.cx>2011-09-04 10:29:04 -0400
committerRich Felker <dalias@aerifal.cx>2011-09-04 10:29:04 -0400
commit7ee3dcb3c603b20fcd4547ffb00e11701c6d1cf4 (patch)
treede55d7b177cbe5f095ac2745e65e5544254fc067
parentc88f36f55623124d09f48631974ca38aaec00057 (diff)
downloadmusl-7ee3dcb3c603b20fcd4547ffb00e11701c6d1cf4.tar.gz
musl-7ee3dcb3c603b20fcd4547ffb00e11701c6d1cf4.tar.bz2
musl-7ee3dcb3c603b20fcd4547ffb00e11701c6d1cf4.tar.xz
musl-7ee3dcb3c603b20fcd4547ffb00e11701c6d1cf4.zip
memstreams: fix incorrect handling of file pos > current size
the addition is safe and cannot overflow because both operands are positive when considered as signed quantities.
-rw-r--r--src/stdio/open_memstream.c4
-rw-r--r--src/stdio/open_wmemstream.c4
2 files changed, 4 insertions, 4 deletions
diff --git a/src/stdio/open_memstream.c b/src/stdio/open_memstream.c
index 7fc16204..687e818d 100644
--- a/src/stdio/open_memstream.c
+++ b/src/stdio/open_memstream.c
@@ -32,8 +32,8 @@ static size_t ms_write(FILE *f, const unsigned char *buf, size_t len)
f->wpos = f->wbase;
if (ms_write(f, f->wbase, len2) < len2) return 0;
}
- if (len >= c->space - c->pos) {
- len2 = 2*c->space+1 | c->space+len+1;
+ if (len + c->pos >= c->space) {
+ len2 = 2*c->space+1 | c->pos+len+1;
newbuf = realloc(c->buf, len2);
if (!newbuf) return 0;
*c->bufp = c->buf = newbuf;
diff --git a/src/stdio/open_wmemstream.c b/src/stdio/open_wmemstream.c
index 0db77416..a830b143 100644
--- a/src/stdio/open_wmemstream.c
+++ b/src/stdio/open_wmemstream.c
@@ -30,8 +30,8 @@ static size_t wms_write(FILE *f, const unsigned char *buf, size_t len)
struct cookie *c = f->cookie;
size_t len2;
wchar_t *newbuf;
- if (len >= c->space - c->pos) {
- len2 = 2*c->space+1 | c->space+len+1;
+ if (len + c->pos >= c->space) {
+ len2 = 2*c->space+1 | c->pos+len+1;
if (len2 > SSIZE_MAX/4) return 0;
newbuf = realloc(c->buf, len2*4);
if (!newbuf) return 0;