From 7ee3dcb3c603b20fcd4547ffb00e11701c6d1cf4 Mon Sep 17 00:00:00 2001
From: Rich Felker <dalias@aerifal.cx>
Date: Sun, 4 Sep 2011 10:29:04 -0400
Subject: memstreams: fix incorrect handling of file pos > current size

the addition is safe and cannot overflow because both operands are
positive when considered as signed quantities.
---
 src/stdio/open_wmemstream.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

(limited to 'src/stdio/open_wmemstream.c')

diff --git a/src/stdio/open_wmemstream.c b/src/stdio/open_wmemstream.c
index 0db77416..a830b143 100644
--- a/src/stdio/open_wmemstream.c
+++ b/src/stdio/open_wmemstream.c
@@ -30,8 +30,8 @@ static size_t wms_write(FILE *f, const unsigned char *buf, size_t len)
 	struct cookie *c = f->cookie;
 	size_t len2;
 	wchar_t *newbuf;
-	if (len >= c->space - c->pos) {
-		len2 = 2*c->space+1 | c->space+len+1;
+	if (len + c->pos >= c->space) {
+		len2 = 2*c->space+1 | c->pos+len+1;
 		if (len2 > SSIZE_MAX/4) return 0;
 		newbuf = realloc(c->buf, len2*4);
 		if (!newbuf) return 0;
-- 
cgit v1.2.1