Fix crash in _IO_wfile_sync (bug 20568)

When computing the length of the converted part of the stdio buffer, use the number of consumed wide characters, not the (negative) distance to the end of the wide buffer. (cherry picked from commit 32ff397533715988c19cbf3675dcbd727ec13e18)
author: Andreas Schwab <schwab@suse.de> 2019-05-14 17:14:59 +0200
committer: Florian Weimer <fweimer@redhat.com> 2019-05-16 10:50:36 +0200
commit: 60bc81ba47915817fb89bc2b80b0176ac1eeba07 (patch)
tree: cbfe23db988daa8d1c263f0e3b20a23d5128d8e2
parent: aa6e76758202dc45b2435ddba9c3625a7d069491 (diff)
download: glibc-60bc81ba47915817fb89bc2b80b0176ac1eeba07.tar.gz
glibc-60bc81ba47915817fb89bc2b80b0176ac1eeba07.tar.xz
glibc-60bc81ba47915817fb89bc2b80b0176ac1eeba07.zip
6 files changed, 56 insertions, 3 deletions
diff --git a/ChangeLog b/ChangeLog
index aeabd83b8c..ff69b49f97 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,13 @@
+2019-05-15  Andreas Schwab  <schwab@suse.de>
+
+	[BZ #20568]
+	* libio/wfileops.c (_IO_wfile_sync): Correct last argument to
+	__codecvt_do_length.
+	* libio/Makefile (tests): Add tst-wfile-sync.
+	($(objpfx)tst-wfile-sync.out): Depend on $(gen-locales).
+	* libio/tst-wfile-sync.c: New file.
+	* libio/tst-wfile-sync.input: New file.
+
 2019-02-07  Stefan Liebler  <stli@linux.ibm.com>
 
 	[BZ #24180]
diff --git a/NEWS b/NEWS
index 6de716ed84..0ca6b440db 100644
--- a/NEWS
+++ b/NEWS
@@ -69,6 +69,7 @@ Security related changes:
 The following bugs are resolved with this release:
 
   [20257] sunrpc: clntudp_call does not enforce timeout when receiving data
+  [20568] Fix crash in _IO_wfile_sync
   [21015] Document and fix --enable-bind-now
   [21109] Tunables broken on big-endian
   [21115] sunrpc: Use-after-free in error path in clntudp_call
diff --git a/libio/Makefile b/libio/Makefile
index be252f740f..1ae7a82269 100644
--- a/libio/Makefile
+++ b/libio/Makefile
@@ -61,7 +61,7 @@ tests = tst_swprintf tst_wprintf tst_swscanf tst_wscanf tst_getwc tst_putwc   \
 	bug-memstream1 bug-wmemstream1 \
 	tst-setvbuf1 tst-popen1 tst-fgetwc bug-wsetpos tst-fseek \
 	tst-fwrite-error tst-ftell-partial-wide tst-ftell-active-handler \
-	tst-ftell-append tst-fputws
+	tst-ftell-append tst-fputws tst-wfile-sync
 ifeq (yes,$(build-shared))
 # Add test-fopenloc only if shared library is enabled since it depends on
 # shared localedata objects.
@@ -198,6 +198,7 @@ $(objpfx)tst-ungetwc1.out: $(gen-locales)
 $(objpfx)tst-ungetwc2.out: $(gen-locales)
 $(objpfx)tst-widetext.out: $(gen-locales)
 $(objpfx)tst_wprintf2.out: $(gen-locales)
+$(objpfx)tst-wfile-sync.out: $(gen-locales)
 endif
 
 $(objpfx)test-freopen.out: test-freopen.sh $(objpfx)test-freopen
diff --git a/libio/tst-wfile-sync.c b/libio/tst-wfile-sync.c
new file mode 100644
index 0000000000..618682064d
--- /dev/null
+++ b/libio/tst-wfile-sync.c
@@ -0,0 +1,39 @@
+/* Test that _IO_wfile_sync does not crash (bug 20568).
+   Copyright (C) 2019 Free Software Foundation, Inc.
+   This file is part of the GNU C Library.
+
+   The GNU C Library is free software; you can redistribute it and/or
+   modify it under the terms of the GNU Lesser General Public
+   License as published by the Free Software Foundation; either
+   version 2.1 of the License, or (at your option) any later version.
+
+   The GNU C Library is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+   Lesser General Public License for more details.
+
+   You should have received a copy of the GNU Lesser General Public
+   License along with the GNU C Library; if not, see
+   <http://www.gnu.org/licenses/>.  */
+
+#include <locale.h>
+#include <stdio.h>
+#include <wchar.h>
+#include <support/check.h>
+#include <support/xunistd.h>
+
+static int
+do_test (void)
+{
+  TEST_VERIFY_EXIT (setlocale (LC_ALL, "de_DE.UTF-8") != NULL);
+  /* Fill the stdio buffer and advance the read pointer.  */
+  TEST_VERIFY_EXIT (fgetwc (stdin) != WEOF);
+  /* This calls _IO_wfile_sync, it should not crash.  */
+  TEST_VERIFY_EXIT (setvbuf (stdin, NULL, _IONBF, 0) == 0);
+  /* Verify that the external file offset has been synchronized.  */
+  TEST_COMPARE (xlseek (0, 0, SEEK_CUR), 1);
+
+  return 0;
+}
+
+#include <support/test-driver.c>
diff --git a/libio/tst-wfile-sync.input b/libio/tst-wfile-sync.input
new file mode 100644
index 0000000000..12d0958f7a
--- /dev/null
+++ b/libio/tst-wfile-sync.input
@@ -0,0 +1 @@
+This is a test of _IO_wfile_sync.
diff --git a/libio/wfileops.c b/libio/wfileops.c
index fb94f45040..727e1b23b9 100644
--- a/libio/wfileops.c
+++ b/libio/wfileops.c
@@ -526,11 +526,12 @@ _IO_wfile_sync (_IO_FILE *fp)
 	     generate the wide characters up to the current reading
 	     position.  */
 	  int nread;
-
+	  size_t wnread = (fp->_wide_data->_IO_read_ptr
+			   - fp->_wide_data->_IO_read_base);
 	  fp->_wide_data->_IO_state = fp->_wide_data->_IO_last_state;
 	  nread = (*cv->__codecvt_do_length) (cv, &fp->_wide_data->_IO_state,
 					      fp->_IO_read_base,
-					      fp->_IO_read_end, delta);
+					      fp->_IO_read_end, wnread);
 	  fp->_IO_read_ptr = fp->_IO_read_base + nread;
 	  delta = -(fp->_IO_read_end - fp->_IO_read_base - nread);
 	}
author	Andreas Schwab <schwab@suse.de>	2019-05-14 17:14:59 +0200
committer	Florian Weimer <fweimer@redhat.com>	2019-05-16 10:50:36 +0200
commit	60bc81ba47915817fb89bc2b80b0176ac1eeba07 (patch)
tree	cbfe23db988daa8d1c263f0e3b20a23d5128d8e2
parent	aa6e76758202dc45b2435ddba9c3625a7d069491 (diff)
download	glibc-60bc81ba47915817fb89bc2b80b0176ac1eeba07.tar.gz glibc-60bc81ba47915817fb89bc2b80b0176ac1eeba07.tar.xz glibc-60bc81ba47915817fb89bc2b80b0176ac1eeba07.zip