Home Explore Help
Sign In
hongwenjun
/
musl
mirror of https://git.musl-libc.org/git/musl
1
0
Fork 0
Files Issues 0 Wiki
Browse Source

fix twos complement overflow bug in mem streams boundary check

the expression -off is not safe in case off is the most-negative
value. instead apply - to base which is known to be non-negative and
bounded within sanity.
Rich Felker 13 years ago
parent
d4fa6f0e08
commit
32d67e938e
2 changed files with 2 additions and 2 deletions
Split View Show Diff Stats
  1. 1 1
      src/stdio/open_memstream.c
  2. 1 1
      src/stdio/open_wmemstream.c

+ 1 - 1
src/stdio/open_memstream.c
View File 

@@ -28,7 +28,7 @@ static off_t ms_seek(FILE *f, off_t off, int whence)
 
 		errno = EINVAL;
 
 		return -1;
 
 	}
 
-	if (-off > base || off > SSIZE_MAX-base) goto fail;
 
+	if (off < -base || off > SSIZE_MAX-base) goto fail;
 
 	return c->pos = base+off;
 
 }

+ 1 - 1
src/stdio/open_wmemstream.c
View File 

@@ -29,7 +29,7 @@ static off_t wms_seek(FILE *f, off_t off, int whence)
 
 		errno = EINVAL;
 
 		return -1;
 
 	}
 
-	if (-off > base || off > SSIZE_MAX/4-base) goto fail;
 
+	if (off < -base || off > SSIZE_MAX/4-base) goto fail;
 
 	memset(&c->mbs, 0, sizeof c->mbs);
 
 	return c->pos = base+off;
 
 }