From 7c2ce714d4e853aadbec13b920576fdfada520f1 Mon Sep 17 00:00:00 2001
From: Andreas Schwab <schwab@suse.de>
Date: Thu, 25 Jun 2015 11:53:06 +0200
Subject: Fix buffer overflow for writes to memory buffer stream (bug 18549)

---
 libio/fmemopen.c      |  2 +-
 libio/test-fmemopen.c | 13 +++++++++++--
 2 files changed, 12 insertions(+), 3 deletions(-)

(limited to 'libio')

diff --git a/libio/fmemopen.c b/libio/fmemopen.c
index 6c50fba..06e5ab8 100644
--- a/libio/fmemopen.c
+++ b/libio/fmemopen.c
@@ -124,7 +124,7 @@ fmemopen_write (void *cookie, const char *b, size_t s)
 
   if (c->pos + s + addnullc > c->size)
     {
-      if ((size_t) (c->pos + addnullc) == c->size)
+      if ((size_t) (c->pos + addnullc) >= c->size)
 	{
 	  __set_errno (ENOSPC);
 	  return 0;
diff --git a/libio/test-fmemopen.c b/libio/test-fmemopen.c
index cddf0cf..63ca89f 100644
--- a/libio/test-fmemopen.c
+++ b/libio/test-fmemopen.c
@@ -21,21 +21,30 @@ static char buffer[] = "foobar";
 
 #include <stdio.h>
 #include <string.h>
+#include <errno.h>
 
 static int
 do_test (void)
 {
   int ch;
   FILE *stream;
+  int ret = 0;
 
-  stream = fmemopen (buffer, strlen (buffer), "r");
+  stream = fmemopen (buffer, strlen (buffer), "r+");
 
   while ((ch = fgetc (stream)) != EOF)
     printf ("Got %c\n", ch);
 
+  fputc ('1', stream);
+  if (fflush (stream) != EOF || errno != ENOSPC)
+    {
+      printf ("fflush didn't fail with ENOSPC\n");
+      ret = 1;
+    }
+
   fclose (stream);
 
-  return 0;
+  return ret;
 }
 
 #define TEST_FUNCTION do_test ()
-- 
cgit v1.1