From 60160d83a09c659d8d9338b210ff92be77cc87d5 Mon Sep 17 00:00:00 2001
From: Joseph Myers <joseph@codesourcery.com>
Date: Tue, 4 Sep 2012 11:24:43 +0000
Subject: [PATCH] Fix iogetdelim.c (latent) integer overflow (bug 9914).

---
 ChangeLog          | 7 +++++++
 NEWS               | 8 ++++----
 libio/iogetdelim.c | 3 ++-
 3 files changed, 13 insertions(+), 5 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index 89e60c0..9a041eb 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,10 @@
+2012-09-04  Joseph Myers  <joseph@codesourcery.com>
+
+	[BZ #9914]
+	* libio/iogetdelim.c: Include <limits.h>.
+	(_IO_getdelim): Avoid integer overflow in testing whether cur_len
+	+ len + 1 would overflow.
+
 2012-09-03  Andreas Jaeger  <aj@suse.de>
 
 	* sysdeps/x86_64/fpu/libm-test-ulps: Update.
diff --git a/NEWS b/NEWS
index e0dcdf4..9a58c6d 100644
--- a/NEWS
+++ b/NEWS
@@ -9,10 +9,10 @@ Version 2.17
 
 * The following bugs are resolved with this release:
 
-  3479, 5400, 6778, 6808, 9685, 11607, 13412, 13717, 13696, 13939, 14042,
-  14090, 14166, 14150, 14151, 14154, 14157, 14166, 14173, 14195, 14252,
-  14283, 14298, 14303, 14307, 14328, 14331, 14336, 14337, 14347, 14349,
-  14459, 14476, 14505, 14516, 14519, 14532, 14538
+  3479, 5400, 6778, 6808, 9685, 9914, 11607, 13412, 13717, 13696, 13939,
+  14042, 14090, 14166, 14150, 14151, 14154, 14157, 14166, 14173, 14195,
+  14252, 14283, 14298, 14303, 14307, 14328, 14331, 14336, 14337, 14347,
+  14349, 14459, 14476, 14505, 14516, 14519, 14532, 14538
 
 * Support for STT_GNU_IFUNC symbols added for s390 and s390x.
   Optimized versions of memcpy, memset, and memcmp added for System z10 and
diff --git a/libio/iogetdelim.c b/libio/iogetdelim.c
index 405b65f..bf4b0f7 100644
--- a/libio/iogetdelim.c
+++ b/libio/iogetdelim.c
@@ -29,6 +29,7 @@
 #include "libioP.h"
 #include <string.h>
 #include <errno.h>
+#include <limits.h>
 
 /* Read up to (and including) a TERMINATOR from FP into *LINEPTR
    (and null-terminate it).  *LINEPTR is a pointer returned from malloc (or
@@ -89,7 +90,7 @@ _IO_getdelim (lineptr, n, delimiter, fp)
       t = (char *) memchr ((void *) fp->_IO_read_ptr, delimiter, len);
       if (t != NULL)
 	len = (t - fp->_IO_read_ptr) + 1;
-      if (__builtin_expect (cur_len + len + 1 < 0, 0))
+      if (__builtin_expect (len >= SSIZE_MAX - cur_len, 0))
 	{
 	  __set_errno (EOVERFLOW);
 	  result = -1;
-- 
2.7.4