memstreams: fix incorrect handling of file pos > current size

the addition is safe and cannot overflow because both operands are
positive when considered as signed quantities.

diff --git a/src/stdio/open_memstream.c b/src/stdio/open_memstream.c
index 7fc16204daad7551d83ecf0e83b3383230cc1e00..687e818dbd5cc857acb98e30d126889f297478c0 100644 (file)
--- a/src/stdio/open_memstream.c
+++ b/src/stdio/open_memstream.c
@@ -32,8 +32,8 @@ static size_t ms_write(FILE *f, const unsigned char *buf, size_t len)
                f->wpos = f->wbase;
                if (ms_write(f, f->wbase, len2) < len2) return 0;
        }
-       if (len >= c->space - c->pos) {
-               len2 = 2*c->space+1 | c->space+len+1;
+       if (len + c->pos >= c->space) {
+               len2 = 2*c->space+1 | c->pos+len+1;
                newbuf = realloc(c->buf, len2);
                if (!newbuf) return 0;
                *c->bufp = c->buf = newbuf;

diff --git a/src/stdio/open_wmemstream.c b/src/stdio/open_wmemstream.c
index 0db77416cec819ce1cc7782bf68fd31c8955eb4a..a830b143ebe95cbf6dc4b038bc44b7357b824841 100644 (file)
--- a/src/stdio/open_wmemstream.c
+++ b/src/stdio/open_wmemstream.c
@@ -30,8 +30,8 @@ static size_t wms_write(FILE *f, const unsigned char *buf, size_t len)
        struct cookie *c = f->cookie;
        size_t len2;
        wchar_t *newbuf;
-       if (len >= c->space - c->pos) {
-               len2 = 2*c->space+1 | c->space+len+1;
+       if (len + c->pos >= c->space) {
+               len2 = 2*c->space+1 | c->pos+len+1;
                if (len2 > SSIZE_MAX/4) return 0;
                newbuf = realloc(c->buf, len2*4);
                if (!newbuf) return 0;