libio: Check remaining buffer size in _IO_wdo_write (bug 31183)

The multibyte character needs to fit into the remaining buffer space, not the already-written buffer space. Without the fix, we were never moving the write pointer from the start of the buffer, always using the single-character fallback buffer. Fixes commit 04b76b5aa8 ("Don't error out writing a multibyte character to an unbuffered stream (bug 17522)"). (cherry picked from commit ecc7c3deb9)
2025-02-23 13:09:58 +08:00 · 2024-01-02 14:36:17 +01:00 · 2024-01-02 14:36:17 +01:00 · cfe1219100
commit cfe1219100
parent ae1e521702
2 changed files with 2 additions and 1 deletions
--- a/1
+++ b/1
@ -43,6 +43,7 @@ The following bugs are resolved with this release:
    -D_FILE_OFFSET_BITS=64
  [30842] Stack read overflow in getaddrinfo in no-aaaa mode (CVE-2023-4527)
  [30843] potential use-after-free in getcanonname (CVE-2023-4806)
+  [31183] Wide stream buffer size reduced MB_LEN_MAX bytes after bug 17522 fix
  [31184] FAIL: elf/tst-tlsgap
  [31185] Incorrect thread point access in _dl_tlsdesc_undefweak and _dl_tlsdesc_dynamic

--- a/libio/wfileops.c
+++ b/libio/wfileops.c
@ -55,7 +55,7 @@ _IO_wdo_write (FILE *fp, const wchar_t *data, size_t to_do)
 	  char mb_buf[MB_LEN_MAX];
 	  char *write_base, *write_ptr, *buf_end;

-	  if (fp->_IO_write_ptr - fp->_IO_write_base < sizeof (mb_buf))
+	  if (fp->_IO_buf_end - fp->_IO_write_ptr < sizeof (mb_buf))
 	    {
 	      /* Make sure we have room for at least one multibyte
 		 character.  */