mirror/glibc
2
0
Fork 0
mirror of git://sourceware.org/git/glibc.git synced 2025-01-30 12:31:53 +08:00
Code Issues Packages Projects Releases Wiki Activity

libio: Fix buffer overrun in tst-ftell-active-handler

Browse Source 
On 'do_ftell_test' the code:

365           if (test_modes[i].fd_mode != O_WRONLY)
366             {
367               char tmpbuf[data_len];
368
369               rewind (fp);
370
371               while (fgets_func (tmpbuf, sizeof (tmpbuf), fp) && !feof (fp));

The 'data_len' is calculated with wsclen and allocated as 'char'.  The
subsequent fgetws will then try to write at most 'data_len' wchar_t
in a buffer with just data_len 'char'.  This patch fixes it by
allocating the tmpbuf using 'wchar_t' * data_len bytes.
This commit is contained in:
Adhemerval Zanella 2014-12-05 07:41:22 -05:00
parent 4bee4cd959
commit 9752c3cdbc
2 changed files with 10 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
ChangeLog
View File

@ -1,3 +1,8 @@
2014-12-05 Adhemerval Zanella <azanella@linux.vnet.ibm.com>
* libio/tst-ftell-active-handler.c (do_ftell_test): Fix buffer overrun
for wide-character tests.
2014-12-04 Roland McGrath <roland@hack.frob.com>
* io/openat64.c: #include <libc-internal.h>

7
libio/tst-ftell-active-handler.c
View File

@ -84,6 +84,7 @@ static const char *char_data = "abcdef";
static const wchar_t *wide_data = L"abcdef";
static size_t data_len;
static size_t file_len;
static size_t char_len;
typedef int (*fputs_func_t) (const void *data, FILE *fp);
typedef void *(*fgets_func_t) (void *ws, int n, FILE *fp);
@ -364,11 +365,11 @@ do_ftell_test (const char *filename)
reading. */
if (test_modes[i].fd_mode != O_WRONLY)
{
char tmpbuf[data_len];
char tmpbuf[data_len * char_len];
rewind (fp);
while (fgets_func (tmpbuf, sizeof (tmpbuf), fp) && !feof (fp));
while (fgets_func (tmpbuf, data_len, fp) && !feof (fp));
write_ret = write (fd, data, data_len);
if (write_ret != data_len)
@ -656,6 +657,7 @@ do_test (void)
fgets_func = (fgets_func_t) fgets;
data = char_data;
data_len = strlen (char_data);
char_len = sizeof (char);
ret |= do_one_test (filename);
/* Truncate the file before repeating the tests in wide mode. */
@ -678,6 +680,7 @@ do_test (void)
fgets_func = (fgets_func_t) fgetws;
data = wide_data;
data_len = wcslen (wide_data);
char_len = sizeof (wchar_t);
ret |= do_one_test (filename);
return ret;