fix twos complement overflow bug in mem streams boundary check

[musl] / src / stdio / open_wmemstream.c

diff --git a/src/stdio/open_wmemstream.c b/src/stdio/open_wmemstream.c
index 5402ca1..41b92d2 100644 (file)
--- a/src/stdio/open_wmemstream.c
+++ b/src/stdio/open_wmemstream.c
@@ -29,7 +29,7 @@ static off_t wms_seek(FILE *f, off_t off, int whence)
                errno = EINVAL;
                return -1;
        }
-       if (-off > base || off > SSIZE_MAX/4-base) goto fail;
+       if (off < -base || off > SSIZE_MAX/4-base) goto fail;
        memset(&c->mbs, 0, sizeof c->mbs);
        return c->pos = base+off;
 }
@@ -39,13 +39,13 @@ static size_t wms_write(FILE *f, const unsigned char *buf, size_t len)
        struct cookie *c = f->cookie;
        size_t len2;
        wchar_t *newbuf;
-       if (len > c->space - c->pos) {
+       if (len >= c->space - c->pos) {
                len2 = 2*c->space+1 | c->space+len+1;
                if (len2 > SSIZE_MAX/4) return 0;
                newbuf = realloc(c->buf, len2*4);
                if (!newbuf) return 0;
                *c->bufp = c->buf = newbuf;
-               memset(c->buf + c->space, 0, len2 - c->space);
+               memset(c->buf + c->space, 0, 4*(len2 - c->space));
                c->space = len2;
        }