diff options
author | Florian Weimer <fweimer@redhat.com> | 2016-06-11 12:07:14 +0200 |
---|---|---|
committer | Florian Weimer <fweimer@redhat.com> | 2016-08-18 15:26:58 +0200 |
commit | 0d6895748bf4531b5e516c47409d35d104f51642 (patch) | |
tree | 088b0c5cf8e9cb9e3c33a60679631d930de37d34 | |
parent | 240ceafed7a00af8571d56db67a6b8854e418106 (diff) | |
download | glibc-0d6895748bf4531b5e516c47409d35d104f51642.zip glibc-0d6895748bf4531b5e516c47409d35d104f51642.tar.gz glibc-0d6895748bf4531b5e516c47409d35d104f51642.tar.bz2 |
fopencookie: Mangle function pointers stored on the heap [BZ #20222]
(cherry picked from commit 983fd5c41ab7e5a5c33922259ca1ac99b3b413f8)
-rw-r--r-- | ChangeLog | 11 | ||||
-rw-r--r-- | libio/iofopncook.c | 49 |
2 files changed, 46 insertions, 14 deletions
@@ -1,3 +1,14 @@ +2016-06-11 Florian Weimer <fweimer@redhat.com> + + [BZ #20222] + * libio/iofopncook.c (_IO_cookie_read): Demangle callback pointer. + (_IO_cookie_write): Likewise. + (_IO_cookie_seek): Likewise. + (_IO_cookie_close): Likewise. + (_IO_old_cookie_seek): Likewise. + (set_callbacks): New function. + (_IO_cookie_init): Call set_callbacks to copy callbacks. + 2016-03-29 Florian Weimer <fweimer@redhat.com> [BZ #19837] diff --git a/libio/iofopncook.c b/libio/iofopncook.c index b845d29..3aad3d3 100644 --- a/libio/iofopncook.c +++ b/libio/iofopncook.c @@ -46,11 +46,13 @@ _IO_cookie_read (fp, buf, size) _IO_ssize_t size; { struct _IO_cookie_file *cfile = (struct _IO_cookie_file *) fp; + cookie_read_function_t *read_cb = cfile->__io_functions.read; + PTR_DEMANGLE (read_cb); - if (cfile->__io_functions.read == NULL) + if (read_cb == NULL) return -1; - return cfile->__io_functions.read (cfile->__cookie, buf, size); + return read_cb (cfile->__cookie, buf, size); } static _IO_ssize_t @@ -60,14 +62,16 @@ _IO_cookie_write (fp, buf, size) _IO_ssize_t size; { struct _IO_cookie_file *cfile = (struct _IO_cookie_file *) fp; + cookie_write_function_t *write_cb = cfile->__io_functions.write; + PTR_DEMANGLE (write_cb); - if (cfile->__io_functions.write == NULL) + if (write_cb == NULL) { fp->_flags |= _IO_ERR_SEEN; return 0; } - _IO_ssize_t n = cfile->__io_functions.write (cfile->__cookie, buf, size); + _IO_ssize_t n = write_cb (cfile->__cookie, buf, size); if (n < size) fp->_flags |= _IO_ERR_SEEN; @@ -81,9 +85,11 @@ _IO_cookie_seek (fp, offset, dir) int dir; { struct _IO_cookie_file *cfile = (struct _IO_cookie_file *) fp; + cookie_seek_function_t *seek_cb = cfile->__io_functions.seek; + PTR_DEMANGLE (seek_cb); - return ((cfile->__io_functions.seek == NULL - || (cfile->__io_functions.seek (cfile->__cookie, &offset, dir) + return ((seek_cb == NULL + || (seek_cb (cfile->__cookie, &offset, dir) == -1) || offset == (_IO_off64_t) -1) ? _IO_pos_BAD : offset); @@ -94,11 +100,13 @@ _IO_cookie_close (fp) _IO_FILE *fp; { struct _IO_cookie_file *cfile = (struct _IO_cookie_file *) fp; + cookie_close_function_t *close_cb = cfile->__io_functions.close; + PTR_DEMANGLE (close_cb); - if (cfile->__io_functions.close == NULL) + if (close_cb == NULL) return 0; - return cfile->__io_functions.close (cfile->__cookie); + return close_cb (cfile->__cookie); } @@ -140,6 +148,19 @@ static const struct _IO_jump_t _IO_cookie_jumps = { }; +/* Copy the callbacks from SOURCE to *TARGET, with pointer + mangling. */ +static void +set_callbacks (_IO_cookie_io_functions_t *target, + _IO_cookie_io_functions_t source) +{ + PTR_MANGLE (source.read); + PTR_MANGLE (source.write); + PTR_MANGLE (source.seek); + PTR_MANGLE (source.close); + *target = source; +} + void _IO_cookie_init (struct _IO_cookie_file *cfile, int read_write, void *cookie, _IO_cookie_io_functions_t io_functions) @@ -148,7 +169,7 @@ _IO_cookie_init (struct _IO_cookie_file *cfile, int read_write, _IO_JUMPS (&cfile->__fp) = &_IO_cookie_jumps; cfile->__cookie = cookie; - cfile->__io_functions = io_functions; + set_callbacks (&cfile->__io_functions, io_functions); _IO_file_init (&cfile->__fp); @@ -223,14 +244,14 @@ _IO_old_cookie_seek (fp, offset, dir) int dir; { struct _IO_cookie_file *cfile = (struct _IO_cookie_file *) fp; - int (*seek) (_IO_FILE *, _IO_off_t, int); - int ret; + int (*seek_cb) (_IO_FILE *, _IO_off_t, int) + = (int (*) (_IO_FILE *, _IO_off_t, int)) cfile->__io_functions.seek;; + PTR_DEMANGLE (seek_cb); - seek = (int (*)(_IO_FILE *, _IO_off_t, int)) cfile->__io_functions.seek; - if (seek == NULL) + if (seek_cb == NULL) return _IO_pos_BAD; - ret = seek (cfile->__cookie, offset, dir); + int ret = seek_cb (cfile->__cookie, offset, dir); return (ret == -1) ? _IO_pos_BAD : ret; } |