From 32d67e938e8da0f37c59247acee8b10eaf9a113c Mon Sep 17 00:00:00 2001 From: Rich Felker Date: Sun, 4 Sep 2011 00:06:01 -0400 Subject: fix twos complement overflow bug in mem streams boundary check the expression -off is not safe in case off is the most-negative value. instead apply - to base which is known to be non-negative and bounded within sanity. --- src/stdio/open_memstream.c | 2 +- src/stdio/open_wmemstream.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) (limited to 'src/stdio') diff --git a/src/stdio/open_memstream.c b/src/stdio/open_memstream.c index 2f3569f1..57737098 100644 --- a/src/stdio/open_memstream.c +++ b/src/stdio/open_memstream.c @@ -28,7 +28,7 @@ static off_t ms_seek(FILE *f, off_t off, int whence) errno = EINVAL; return -1; } - if (-off > base || off > SSIZE_MAX-base) goto fail; + if (off < -base || off > SSIZE_MAX-base) goto fail; return c->pos = base+off; } diff --git a/src/stdio/open_wmemstream.c b/src/stdio/open_wmemstream.c index 3bc0f254..41b92d21 100644 --- a/src/stdio/open_wmemstream.c +++ b/src/stdio/open_wmemstream.c @@ -29,7 +29,7 @@ static off_t wms_seek(FILE *f, off_t off, int whence) errno = EINVAL; return -1; } - if (-off > base || off > SSIZE_MAX/4-base) goto fail; + if (off < -base || off > SSIZE_MAX/4-base) goto fail; memset(&c->mbs, 0, sizeof c->mbs); return c->pos = base+off; } -- cgit v1.2.3-70-g09d2