diff options
| author | Stan Shebs <stanshebs@google.com> | 2015-07-06 20:51:10 -0700 |
|---|---|---|
| committer | Stan Shebs <stanshebs@google.com> | 2015-07-06 20:51:10 -0700 |
| commit | d1c2791a63fb9a8a595bc13362ed465439322c99 (patch) | |
| tree | dc10c114fa27e62fa6057359441eb698f96b6d41 | |
| parent | 1153d5eaf41007c638e53bb41db3d93bbf548a23 (diff) | |
| download | glibc-d1c2791a63fb9a8a595bc13362ed465439322c99.tar.gz glibc-d1c2791a63fb9a8a595bc13362ed465439322c99.tar.xz glibc-d1c2791a63fb9a8a595bc13362ed465439322c99.zip | |
backport fix buffer overflow for writes to memory buffer stream (PR18549)
| -rw-r--r-- | README.google | 5 | ||||
| -rw-r--r-- | libio/fmemopen.c | 2 | ||||
| -rw-r--r-- | libio/test-fmemopen.c | 22 |
3 files changed, 23 insertions, 6 deletions
diff --git a/README.google b/README.google index 9937af5592..2c776b0a06 100644 --- a/README.google +++ b/README.google @@ -438,3 +438,8 @@ elf/dl-load.c For b/8315591, b/20141439 correct off-by-one error that resulted in last byte of l_name being random garbage. (ppluzhnikov, google-local) + +libio/fmemopen.c +libio/test-fmemopen.c + For b/22167761, backport fix buffer overflow for writes to memory buffer stream (PR18549) + https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=7c2ce714d4e853aadbec13b920576fdfada520f1 diff --git a/libio/fmemopen.c b/libio/fmemopen.c index e370a8b9e7..66aa5aebeb 100644 --- a/libio/fmemopen.c +++ b/libio/fmemopen.c @@ -124,7 +124,7 @@ fmemopen_write (void *cookie, const char *b, size_t s) if (c->pos + s + addnullc > c->size) { - if ((size_t) (c->pos + addnullc) == c->size) + if ((size_t) (c->pos + addnullc) >= c->size) { __set_errno (ENOSPC); return 0; diff --git a/libio/test-fmemopen.c b/libio/test-fmemopen.c index 30998940e1..63ca89f300 100644 --- a/libio/test-fmemopen.c +++ b/libio/test-fmemopen.c @@ -1,5 +1,5 @@ /* Test for fmemopen implementation. - Copyright (C) 2000-2014 Free Software Foundation, Inc. + Copyright (C) 2000-2015 Free Software Foundation, Inc. This file is part of the GNU C Library. Contributed by Hanno Mueller, kontakt@hanno.de, 2000. @@ -21,19 +21,31 @@ static char buffer[] = "foobar"; #include <stdio.h> #include <string.h> +#include <errno.h> -int -main (void) +static int +do_test (void) { int ch; FILE *stream; + int ret = 0; - stream = fmemopen (buffer, strlen (buffer), "r"); + stream = fmemopen (buffer, strlen (buffer), "r+"); while ((ch = fgetc (stream)) != EOF) printf ("Got %c\n", ch); + fputc ('1', stream); + if (fflush (stream) != EOF || errno != ENOSPC) + { + printf ("fflush didn't fail with ENOSPC\n"); + ret = 1; + } + fclose (stream); - return 0; + return ret; } + +#define TEST_FUNCTION do_test () +#include "../test-skeleton.c" |