Fix iogetdelim.c (latent) integer overflow (bug 9914).

2012-09-04 11:24:43 +00:00 · 2012-09-04 11:24:43 +00:00 · 60160d83a0
parent bcd6c8dc64
commit 60160d83a0
3 changed files with 13 additions and 5 deletions
--- a/7
+++ b/7
@ -1,3 +1,10 @@
+2012-09-04  Joseph Myers  <joseph@codesourcery.com>
+
+	[BZ #9914]
+	* libio/iogetdelim.c: Include <limits.h>.
+	(_IO_getdelim): Avoid integer overflow in testing whether cur_len
+	+ len + 1 would overflow.
+
 2012-09-03  Andreas Jaeger  <aj@suse.de>

 	* sysdeps/x86_64/fpu/libm-test-ulps: Update.
--- a/8
+++ b/8
@ -9,10 +9,10 @@ Version 2.17

 * The following bugs are resolved with this release:

-  3479, 5400, 6778, 6808, 9685, 11607, 13412, 13717, 13696, 13939, 14042,
-  14090, 14166, 14150, 14151, 14154, 14157, 14166, 14173, 14195, 14252,
-  14283, 14298, 14303, 14307, 14328, 14331, 14336, 14337, 14347, 14349,
-  14459, 14476, 14505, 14516, 14519, 14532, 14538
+  3479, 5400, 6778, 6808, 9685, 9914, 11607, 13412, 13717, 13696, 13939,
+  14042, 14090, 14166, 14150, 14151, 14154, 14157, 14166, 14173, 14195,
+  14252, 14283, 14298, 14303, 14307, 14328, 14331, 14336, 14337, 14347,
+  14349, 14459, 14476, 14505, 14516, 14519, 14532, 14538

 * Support for STT_GNU_IFUNC symbols added for s390 and s390x.
  Optimized versions of memcpy, memset, and memcmp added for System z10 and
--- a/libio/iogetdelim.c
+++ b/libio/iogetdelim.c
@ -29,6 +29,7 @@
 #include "libioP.h"
 #include <string.h>
 #include <errno.h>
+#include <limits.h>

 /* Read up to (and including) a TERMINATOR from FP into *LINEPTR
   (and null-terminate it).  *LINEPTR is a pointer returned from malloc (or
@ -89,7 +90,7 @@ _IO_getdelim (lineptr, n, delimiter, fp)
      t = (char *) memchr ((void *) fp->_IO_read_ptr, delimiter, len);
      if (t != NULL)
 	len = (t - fp->_IO_read_ptr) + 1;
-      if (__builtin_expect (cur_len + len + 1 < 0, 0))
+      if (__builtin_expect (len >= SSIZE_MAX - cur_len, 0))
 	{
 	  __set_errno (EOVERFLOW);
 	  result = -1;