summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorRich Felker <dalias@aerifal.cx>2011-09-04 00:06:01 -0400
committerRich Felker <dalias@aerifal.cx>2011-09-04 00:06:01 -0400
commit32d67e938e8da0f37c59247acee8b10eaf9a113c (patch)
treee87b7b5da7700f8af18ce90ceef850398ba9947c
parentd4fa6f0e08ff5a292d2aeeeeda80670a1a082cae (diff)
downloadmusl-32d67e938e8da0f37c59247acee8b10eaf9a113c.tar.gz
musl-32d67e938e8da0f37c59247acee8b10eaf9a113c.tar.bz2
musl-32d67e938e8da0f37c59247acee8b10eaf9a113c.tar.xz
musl-32d67e938e8da0f37c59247acee8b10eaf9a113c.zip
fix twos complement overflow bug in mem streams boundary check
the expression -off is not safe in case off is the most-negative value. instead apply - to base which is known to be non-negative and bounded within sanity.
-rw-r--r--src/stdio/open_memstream.c2
-rw-r--r--src/stdio/open_wmemstream.c2
2 files changed, 2 insertions, 2 deletions
diff --git a/src/stdio/open_memstream.c b/src/stdio/open_memstream.c
index 2f3569f1..57737098 100644
--- a/src/stdio/open_memstream.c
+++ b/src/stdio/open_memstream.c
@@ -28,7 +28,7 @@ static off_t ms_seek(FILE *f, off_t off, int whence)
errno = EINVAL;
return -1;
}
- if (-off > base || off > SSIZE_MAX-base) goto fail;
+ if (off < -base || off > SSIZE_MAX-base) goto fail;
return c->pos = base+off;
}
diff --git a/src/stdio/open_wmemstream.c b/src/stdio/open_wmemstream.c
index 3bc0f254..41b92d21 100644
--- a/src/stdio/open_wmemstream.c
+++ b/src/stdio/open_wmemstream.c
@@ -29,7 +29,7 @@ static off_t wms_seek(FILE *f, off_t off, int whence)
errno = EINVAL;
return -1;
}
- if (-off > base || off > SSIZE_MAX/4-base) goto fail;
+ if (off < -base || off > SSIZE_MAX/4-base) goto fail;
memset(&c->mbs, 0, sizeof c->mbs);
return c->pos = base+off;
}