From 7ee3dcb3c603b20fcd4547ffb00e11701c6d1cf4 Mon Sep 17 00:00:00 2001 From: Rich Felker Date: Sun, 4 Sep 2011 10:29:04 -0400 Subject: [PATCH] memstreams: fix incorrect handling of file pos > current size the addition is safe and cannot overflow because both operands are positive when considered as signed quantities. --- src/stdio/open_memstream.c | 4 ++-- src/stdio/open_wmemstream.c | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/src/stdio/open_memstream.c b/src/stdio/open_memstream.c index 7fc16204..687e818d 100644 --- a/src/stdio/open_memstream.c +++ b/src/stdio/open_memstream.c @@ -32,8 +32,8 @@ static size_t ms_write(FILE *f, const unsigned char *buf, size_t len) f->wpos = f->wbase; if (ms_write(f, f->wbase, len2) < len2) return 0; } - if (len >= c->space - c->pos) { - len2 = 2*c->space+1 | c->space+len+1; + if (len + c->pos >= c->space) { + len2 = 2*c->space+1 | c->pos+len+1; newbuf = realloc(c->buf, len2); if (!newbuf) return 0; *c->bufp = c->buf = newbuf; diff --git a/src/stdio/open_wmemstream.c b/src/stdio/open_wmemstream.c index 0db77416..a830b143 100644 --- a/src/stdio/open_wmemstream.c +++ b/src/stdio/open_wmemstream.c @@ -30,8 +30,8 @@ static size_t wms_write(FILE *f, const unsigned char *buf, size_t len) struct cookie *c = f->cookie; size_t len2; wchar_t *newbuf; - if (len >= c->space - c->pos) { - len2 = 2*c->space+1 | c->space+len+1; + if (len + c->pos >= c->space) { + len2 = 2*c->space+1 | c->pos+len+1; if (len2 > SSIZE_MAX/4) return 0; newbuf = realloc(c->buf, len2*4); if (!newbuf) return 0; -- 2.25.1