From 9752c3cdbce2b3b8338abf09c8b9dd9e78908b8a Mon Sep 17 00:00:00 2001 From: Adhemerval Zanella Date: Fri, 5 Dec 2014 07:41:22 -0500 Subject: libio: Fix buffer overrun in tst-ftell-active-handler On 'do_ftell_test' the code: 365 if (test_modes[i].fd_mode != O_WRONLY) 366 { 367 char tmpbuf[data_len]; 368 369 rewind (fp); 370 371 while (fgets_func (tmpbuf, sizeof (tmpbuf), fp) && !feof (fp)); The 'data_len' is calculated with wsclen and allocated as 'char'. The subsequent fgetws will then try to write at most 'data_len' wchar_t in a buffer with just data_len 'char'. This patch fixes it by allocating the tmpbuf using 'wchar_t' * data_len bytes. --- libio/tst-ftell-active-handler.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) (limited to 'libio') diff --git a/libio/tst-ftell-active-handler.c b/libio/tst-ftell-active-handler.c index f69e169..44a4fac 100644 --- a/libio/tst-ftell-active-handler.c +++ b/libio/tst-ftell-active-handler.c @@ -84,6 +84,7 @@ static const char *char_data = "abcdef"; static const wchar_t *wide_data = L"abcdef"; static size_t data_len; static size_t file_len; +static size_t char_len; typedef int (*fputs_func_t) (const void *data, FILE *fp); typedef void *(*fgets_func_t) (void *ws, int n, FILE *fp); @@ -364,11 +365,11 @@ do_ftell_test (const char *filename) reading. */ if (test_modes[i].fd_mode != O_WRONLY) { - char tmpbuf[data_len]; + char tmpbuf[data_len * char_len]; rewind (fp); - while (fgets_func (tmpbuf, sizeof (tmpbuf), fp) && !feof (fp)); + while (fgets_func (tmpbuf, data_len, fp) && !feof (fp)); write_ret = write (fd, data, data_len); if (write_ret != data_len) @@ -656,6 +657,7 @@ do_test (void) fgets_func = (fgets_func_t) fgets; data = char_data; data_len = strlen (char_data); + char_len = sizeof (char); ret |= do_one_test (filename); /* Truncate the file before repeating the tests in wide mode. */ @@ -678,6 +680,7 @@ do_test (void) fgets_func = (fgets_func_t) fgetws; data = wide_data; data_len = wcslen (wide_data); + char_len = sizeof (wchar_t); ret |= do_one_test (filename); return ret; -- cgit v1.1