Based on:
https://sourceware.org/bugzilla/show_bug.cgi?id=17269
https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=patch;h=bdf1ff052a8e23d637f2c838fa5642d78fcedc33

From bdf1ff052a8e23d637f2c838fa5642d78fcedc33 Mon Sep 17 00:00:00 2001
From: Paul Pluzhnikov <ppluzhnikov@google.com>
Date: Sun, 22 Feb 2015 12:01:47 -0800
Subject: [PATCH] Fix BZ #17269 -- _IO_wstr_overflow integer overflow
---
 libio/wstrops.c | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/libio/wstrops.c b/libio/wstrops.c
index c5aae7b..fe92fd9 100644
--- a/libio/wstrops.c
+++ b/libio/wstrops.c
@@ -96,8 +96,11 @@ _IO_wstr_overflow (fp, c)
 	  wchar_t *old_buf = fp->_wide_data->_IO_buf_base;
 	  size_t old_wblen = _IO_wblen (fp);
 	  _IO_size_t new_size = 2 * old_wblen + 100;
-	  if (new_size < old_wblen)
+
+	  if (__glibc_unlikely (new_size < old_wblen)
+	      || __glibc_unlikely (new_size > SIZE_MAX / sizeof (wchar_t)))
 	    return EOF;
+
 	  new_buf
 	    = (wchar_t *) (*((_IO_strfile *) fp)->_s._allocate_buffer) (new_size
 									* sizeof (wchar_t));
@@ -187,6 +190,9 @@ enlarge_userbuf (_IO_FILE *fp, _IO_off64_t offset, int reading)
     return 1;
 
   _IO_size_t newsize = offset + 100;
+  if (__glibc_unlikely (newsize > SIZE_MAX / sizeof (wchar_t)))
+    return 1;
+
   wchar_t *oldbuf = wd->_IO_buf_base;
   wchar_t *newbuf
     = (wchar_t *) (*((_IO_strfile *) fp)->_s._allocate_buffer) (newsize
-- 
2.17.1