From 1e6937643577e1fb5ea8696c2f583e20bcd29279 Mon Sep 17 00:00:00 2001
From: Rich Felker <dalias@aerifal.cx>
Date: Sat, 3 Sep 2011 20:19:51 -0400
Subject: [PATCH] fix some length calculations in memory streams

---
 src/stdio/open_memstream.c  | 2 +-
 src/stdio/open_wmemstream.c | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/src/stdio/open_memstream.c b/src/stdio/open_memstream.c
index dedc3d51..2f3569f1 100644
--- a/src/stdio/open_memstream.c
+++ b/src/stdio/open_memstream.c
@@ -41,7 +41,7 @@ static size_t ms_write(FILE *f, const unsigned char *buf, size_t len)
 		f->wpos = f->wbase;
 		if (ms_write(f, f->wbase, len2) < len2) return 0;
 	}
-	if (len > c->space - c->pos) {
+	if (len >= c->space - c->pos) {
 		len2 = 2*c->space+1 | c->space+len+1;
 		newbuf = realloc(c->buf, len2);
 		if (!newbuf) return 0;
diff --git a/src/stdio/open_wmemstream.c b/src/stdio/open_wmemstream.c
index 5402ca1a..3bc0f254 100644
--- a/src/stdio/open_wmemstream.c
+++ b/src/stdio/open_wmemstream.c
@@ -39,13 +39,13 @@ static size_t wms_write(FILE *f, const unsigned char *buf, size_t len)
 	struct cookie *c = f->cookie;
 	size_t len2;
 	wchar_t *newbuf;
-	if (len > c->space - c->pos) {
+	if (len >= c->space - c->pos) {
 		len2 = 2*c->space+1 | c->space+len+1;
 		if (len2 > SSIZE_MAX/4) return 0;
 		newbuf = realloc(c->buf, len2*4);
 		if (!newbuf) return 0;
 		*c->bufp = c->buf = newbuf;
-		memset(c->buf + c->space, 0, len2 - c->space);
+		memset(c->buf + c->space, 0, 4*(len2 - c->space));
 		c->space = len2;
 	}
 	
-- 
2.20.1