Skip to content

Commit

Permalink
libio: Fix buffer overrun in tst-ftell-active-handler
Browse files Browse the repository at this point in the history 
On 'do_ftell_test' the code:

365           if (test_modes[i].fd_mode != O_WRONLY)
366             {
367               char tmpbuf[data_len];
368
369               rewind (fp);
370
371               while (fgets_func (tmpbuf, sizeof (tmpbuf), fp) && !feof (fp));

The 'data_len' is calculated with wsclen and allocated as 'char'.  The
subsequent fgetws will then try to write at most 'data_len' wchar_t
in a buffer with just data_len 'char'.  This patch fixes it by
allocating the tmpbuf using 'wchar_t' * data_len bytes.
  • Loading branch information
Adhemerval Zanella committed Dec 5, 2014
1 parent 4bee4cd commit 9752c3c
Show file tree
Hide file tree
Showing 2 changed files with 10 additions and 2 deletions.
5 changes: 5 additions & 0 deletions ChangeLog
View file
Original file line number Diff line number Diff line change
@@ -1,3 +1,8 @@
2014-12-05 Adhemerval Zanella <azanella@linux.vnet.ibm.com>

* libio/tst-ftell-active-handler.c (do_ftell_test): Fix buffer overrun
for wide-character tests.

2014-12-04 Roland McGrath <roland@hack.frob.com>

* io/openat64.c: #include <libc-internal.h>
Expand Down
7 changes: 5 additions & 2 deletions libio/tst-ftell-active-handler.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -84,6 +84,7 @@ static const char *char_data = "abcdef";
static const wchar_t *wide_data = L"abcdef";
static size_t data_len;
static size_t file_len;
static size_t char_len;

typedef int (*fputs_func_t) (const void *data, FILE *fp);
typedef void *(*fgets_func_t) (void *ws, int n, FILE *fp);
Expand Down Expand Up @@ -364,11 +365,11 @@ do_ftell_test (const char *filename)
reading. */
if (test_modes[i].fd_mode != O_WRONLY)
{
char tmpbuf[data_len];
char tmpbuf[data_len * char_len];

rewind (fp);

while (fgets_func (tmpbuf, sizeof (tmpbuf), fp) && !feof (fp));
while (fgets_func (tmpbuf, data_len, fp) && !feof (fp));

write_ret = write (fd, data, data_len);
if (write_ret != data_len)
Expand Down Expand Up @@ -656,6 +657,7 @@ do_test (void)
fgets_func = (fgets_func_t) fgets;
data = char_data;
data_len = strlen (char_data);
char_len = sizeof (char);
ret |= do_one_test (filename);

/* Truncate the file before repeating the tests in wide mode. */
Expand All @@ -678,6 +680,7 @@ do_test (void)
fgets_func = (fgets_func_t) fgetws;
data = wide_data;
data_len = wcslen (wide_data);
char_len = sizeof (wchar_t);
ret |= do_one_test (filename);

return ret;
Expand Down

0 comments on commit 9752c3c

Please sign in to comment.