Fix integer overflow in vfwprintf. Fixes bug 14286.

2014-01-07 12:02:15 +01:00 · 2014-01-07 12:02:15 +01:00 · 94c8a4bc57
parent b513cbf751
commit 94c8a4bc57
3 changed files with 26 additions and 15 deletions
--- a/5
+++ b/5
@ -1,3 +1,8 @@
+2014-01-07  Ondřej Bílka  <neleai@seznam.cz>
+
+	[BZ #14286]
+	* stdio-common/vfprintf.c: Check for integer overflow.
+
 2014-01-07  Andreas Krebbel  <Andreas.Krebbel@de.ibm.com>

 	* sysdeps/s390/dl-tls.h: sysdeps/s390/dl-tls.h: Remove casts for
--- a/28
+++ b/28
@ -11,20 +11,20 @@ Version 2.19

  156, 387, 431, 762, 832, 926, 2801, 4772, 6786, 6787, 6807, 6810, 7003,
  9954, 10253, 10278, 11087, 11157, 11214, 12100, 12486, 12986, 13028,
-  13982, 13985, 14029, 14032, 14120, 14143, 14155, 14547, 14699, 14752,
-  14876, 14910, 15004, 15048, 15073, 15089, 15128, 15218, 15268, 15277,
-  15308, 15362, 15374, 15400, 15425, 15427, 15483, 15522, 15531, 15532,
-  15593, 15601, 15608, 15609, 15610, 15632, 15640, 15670, 15672, 15680,
-  15681, 15723, 15734, 15735, 15736, 15748, 15749, 15754, 15760, 15763,
-  15764, 15797, 15799, 15825, 15843, 15844, 15846, 15847, 15849, 15855,
-  15856, 15857, 15859, 15867, 15886, 15887, 15890, 15892, 15893, 15895,
-  15897, 15901, 15905, 15909, 15915, 15917, 15919, 15921, 15923, 15939,
-  15941, 15948, 15963, 15966, 15985, 15988, 15997, 16032, 16034, 16036,
-  16037, 16038, 16041, 16055, 16071, 16072, 16074, 16077, 16078, 16103,
-  16112, 16143, 16144, 16146, 16150, 16151, 16153, 16167, 16172, 16195,
-  16214, 16245, 16271, 16274, 16283, 16289, 16293, 16314, 16316, 16330,
-  16337, 16338, 16356, 16365, 16366, 16369, 16372, 16375, 16379, 16384,
-  16385, 16386, 16390, 16400.
+  13982, 13985, 14029, 14032, 14120, 14143, 14155, 14286, 14547, 14699,
+  14752, 14876, 14910, 15004, 15048, 15073, 15089, 15128, 15218, 15268,
+  15277, 15308, 15362, 15374, 15400, 15425, 15427, 15483, 15522, 15531,
+  15532, 15593, 15601, 15608, 15609, 15610, 15632, 15640, 15670, 15672,
+  15680, 15681, 15723, 15734, 15735, 15736, 15748, 15749, 15754, 15760,
+  15763, 15764, 15797, 15799, 15825, 15843, 15844, 15846, 15847, 15849,
+  15855, 15856, 15857, 15859, 15867, 15886, 15887, 15890, 15892, 15893,
+  15895, 15897, 15901, 15905, 15909, 15915, 15917, 15919, 15921, 15923,
+  15939, 15941, 15948, 15963, 15966, 15985, 15988, 15997, 16032, 16034,
+  16036, 16037, 16038, 16041, 16055, 16071, 16072, 16074, 16077, 16078,
+  16103, 16112, 16143, 16144, 16146, 16150, 16151, 16153, 16167, 16172,
+  16195, 16214, 16245, 16271, 16274, 16283, 16289, 16293, 16314, 16316,
+  16330, 16337, 16338, 16356, 16365, 16366, 16369, 16372, 16375, 16379,
+  16384, 16385, 16386, 16390, 16400.

 * Slovenian translations for glibc messages have been contributed by the
  Translation Project's Slovenian team of translators.
--- a/stdio-common/vfprintf.c
+++ b/stdio-common/vfprintf.c
@ -1067,7 +1067,13 @@ vfprintf (FILE *s, const CHAR_T *format, va_list ap)
 	    /* Allocate dynamically an array which definitely is long	      \
 	       enough for the wide character version.  Each byte in the	      \
 	       multi-byte string can produce at most one wide character.  */  \
-	    if (__libc_use_alloca (len * sizeof (wchar_t)))		      \
+	    if (__glibc_unlikely (len > SIZE_MAX / sizeof (wchar_t)))	      \
+	      {								      \
+		__set_errno (EOVERFLOW);				      \
+		done = -1;						      \
+		goto all_done;						      \
+	      }								      \
+	    else if (__libc_use_alloca (len * sizeof (wchar_t)))	      \
 	      string = (CHAR_T *) alloca (len * sizeof (wchar_t));	      \
 	    else if ((string = (CHAR_T *) malloc (len * sizeof (wchar_t)))    \
 		     == NULL)						      \