diff options
author | Eric Biggers <ebiggers3@gmail.com> | 2013-10-11 22:29:38 +0530 |
---|---|---|
committer | Siddhesh Poyarekar <siddhesh@redhat.com> | 2013-10-11 22:29:38 +0530 |
commit | 3d110c7c6e6549bd4124fce49cdc672f9e449799 (patch) | |
tree | 465a14f8a2e1c8e58f470c2550a524fff481228e /libio/fileops.c | |
parent | 75b4202ab03337edb37536e3d9470a48a04c9341 (diff) | |
download | glibc-3d110c7c6e6549bd4124fce49cdc672f9e449799.tar.gz glibc-3d110c7c6e6549bd4124fce49cdc672f9e449799.tar.xz glibc-3d110c7c6e6549bd4124fce49cdc672f9e449799.zip |
Fix fwrite() reading beyond end of buffer in error path
Partially revert commits 2b766585f9b4ffabeef2f36200c275976b93f2c7 and de2fd463b1c0310d75084b6d774fb974075a4ad9, which were intended to fix BZ#11741 but caused another, likely worse bug, namely that fwrite() and fputs() could, in an error path, read data beyond the end of the specified buffer, and potentially even write this data to the file. Fix BZ#11741 properly by checking the return value from _IO_padn() in stdio-common/vfprintf.c.
Diffstat (limited to 'libio/fileops.c')
-rw-r--r-- | libio/fileops.c | 21 |
1 files changed, 9 insertions, 12 deletions
diff --git a/libio/fileops.c b/libio/fileops.c index e92f85b243..c58e860c04 100644 --- a/libio/fileops.c +++ b/libio/fileops.c @@ -1245,13 +1245,12 @@ _IO_new_file_write (f, data, n) _IO_ssize_t n; { _IO_ssize_t to_do = n; - _IO_ssize_t count = 0; while (to_do > 0) { - count = (__builtin_expect (f->_flags2 - & _IO_FLAGS2_NOTCANCEL, 0) - ? write_not_cancel (f->_fileno, data, to_do) - : write (f->_fileno, data, to_do)); + _IO_ssize_t count = (__builtin_expect (f->_flags2 + & _IO_FLAGS2_NOTCANCEL, 0) + ? write_not_cancel (f->_fileno, data, to_do) + : write (f->_fileno, data, to_do)); if (count < 0) { f->_flags |= _IO_ERR_SEEN; @@ -1263,7 +1262,7 @@ _IO_new_file_write (f, data, n) n -= to_do; if (f->_offset >= 0) f->_offset += n; - return count < 0 ? count : n; + return n; } _IO_size_t @@ -1323,13 +1322,11 @@ _IO_new_file_xsputn (f, data, n) _IO_size_t block_size, do_write; /* Next flush the (full) buffer. */ if (_IO_OVERFLOW (f, EOF) == EOF) - /* If nothing else has to be written or nothing has been written, we - must not signal the caller that the call was even partially - successful. */ - return (to_do == 0 || to_do == n) ? EOF : n - to_do; + /* If nothing else has to be written we must not signal the + caller that everything has been written. */ + return to_do == 0 ? EOF : n - to_do; - /* Try to maintain alignment: write a whole number of blocks. - dont_write is what gets left over. */ + /* Try to maintain alignment: write a whole number of blocks. */ block_size = f->_IO_buf_end - f->_IO_buf_base; do_write = to_do - (block_size >= 128 ? to_do % block_size : 0); |