diff options
| author | Andreas Schwab <schwab@suse.de> | 2015-06-25 11:53:06 +0200 |
|---|---|---|
| committer | Andreas Schwab <schwab@suse.de> | 2015-06-25 15:54:09 +0200 |
| commit | 7c2ce714d4e853aadbec13b920576fdfada520f1 (patch) | |
| tree | 90876240dcbfc51809b22803b0b05054ead2bade | |
| parent | cc08749b2d1c68284b25b157fbbe1ff219495cae (diff) | |
| download | glibc-7c2ce714d4e853aadbec13b920576fdfada520f1.zip glibc-7c2ce714d4e853aadbec13b920576fdfada520f1.tar.gz glibc-7c2ce714d4e853aadbec13b920576fdfada520f1.tar.bz2 | |
Fix buffer overflow for writes to memory buffer stream (bug 18549)
| -rw-r--r-- | ChangeLog | 6 | ||||
| -rw-r--r-- | NEWS | 3 | ||||
| -rw-r--r-- | libio/fmemopen.c | 2 | ||||
| -rw-r--r-- | libio/test-fmemopen.c | 13 |
4 files changed, 20 insertions, 4 deletions
@@ -1,3 +1,9 @@ +2015-06-25 Andreas Schwab <schwab@suse.de> + + [BZ #18549] + * libio/fmemopen.c (fmemopen_write): Fix bounds check for ENOSPC. + * libio/test-fmemopen.c (do_test): Add test for it. + 2015-06-25 H.J. Lu <hongjiu.lu@intel.com> [BZ #17841] @@ -24,7 +24,8 @@ Version 2.22 18434, 18444, 18468, 18469, 18470, 18479, 18483, 18495, 18496, 18497, 18498, 18507, 18512, 18513, 18519, 18520, 18522, 18527, 18528, 18529, 18530, 18532, 18533, 18534, 18536, 18539, 18540, 18542, 18544, 18545, - 18546, 18547, 18553, 18558, 18569, 18583, 18585, 18586, 18593, 18594. + 18546, 18547, 18549, 18553, 18558, 18569, 18583, 18585, 18586, 18593, + 18594. * Cache information can be queried via sysconf() function on s390 e.g. with _SC_LEVEL1_ICACHE_SIZE as argument. diff --git a/libio/fmemopen.c b/libio/fmemopen.c index 6c50fba..06e5ab8 100644 --- a/libio/fmemopen.c +++ b/libio/fmemopen.c @@ -124,7 +124,7 @@ fmemopen_write (void *cookie, const char *b, size_t s) if (c->pos + s + addnullc > c->size) { - if ((size_t) (c->pos + addnullc) == c->size) + if ((size_t) (c->pos + addnullc) >= c->size) { __set_errno (ENOSPC); return 0; diff --git a/libio/test-fmemopen.c b/libio/test-fmemopen.c index cddf0cf..63ca89f 100644 --- a/libio/test-fmemopen.c +++ b/libio/test-fmemopen.c @@ -21,21 +21,30 @@ static char buffer[] = "foobar"; #include <stdio.h> #include <string.h> +#include <errno.h> static int do_test (void) { int ch; FILE *stream; + int ret = 0; - stream = fmemopen (buffer, strlen (buffer), "r"); + stream = fmemopen (buffer, strlen (buffer), "r+"); while ((ch = fgetc (stream)) != EOF) printf ("Got %c\n", ch); + fputc ('1', stream); + if (fflush (stream) != EOF || errno != ENOSPC) + { + printf ("fflush didn't fail with ENOSPC\n"); + ret = 1; + } + fclose (stream); - return 0; + return ret; } #define TEST_FUNCTION do_test () |