diff options
author | Florian Weimer <fweimer@redhat.com> | 2018-06-01 10:41:03 +0200 |
---|---|---|
committer | Florian Weimer <fweimer@redhat.com> | 2018-06-01 10:41:03 +0200 |
commit | 4e8a6346cd3da2d88bbad745a1769260d36f2783 (patch) | |
tree | dcf9deeedd5263469fa425574c0ac671a8b43c2a /libio/memstream.c | |
parent | 50d004c91c942221b862a4a13a4b5f78cfb0d595 (diff) | |
download | glibc-4e8a6346cd3da2d88bbad745a1769260d36f2783.tar.gz glibc-4e8a6346cd3da2d88bbad745a1769260d36f2783.tar.xz glibc-4e8a6346cd3da2d88bbad745a1769260d36f2783.zip |
libio: Avoid _allocate_buffer, _free_buffer function pointers [BZ #23236]
These unmangled function pointers reside on the heap and could be targeted by exploit writers, effectively bypassing libio vtable validation. Instead, we ignore these pointers and always call malloc or free. In theory, this is a backwards-incompatible change, but using the global heap instead of the user-supplied callback functions should have little application impact. (The old libstdc++ implementation exposed this functionality via a public, undocumented constructor in its strstreambuf class.)
Diffstat (limited to 'libio/memstream.c')
-rw-r--r-- | libio/memstream.c | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/libio/memstream.c b/libio/memstream.c index 8d2726dea3..b5eaa5476c 100644 --- a/libio/memstream.c +++ b/libio/memstream.c @@ -90,8 +90,8 @@ __open_memstream (char **bufloc, size_t *sizeloc) _IO_JUMPS_FILE_plus (&new_f->fp._sf._sbf) = &_IO_mem_jumps; _IO_str_init_static_internal (&new_f->fp._sf, buf, BUFSIZ, buf); new_f->fp._sf._sbf._f._flags &= ~_IO_USER_BUF; - new_f->fp._sf._s._allocate_buffer = (_IO_alloc_type) malloc; - new_f->fp._sf._s._free_buffer = (_IO_free_type) free; + new_f->fp._sf._s._allocate_buffer_unused = (_IO_alloc_type) malloc; + new_f->fp._sf._s._free_buffer_unused = (_IO_free_type) free; new_f->fp.bufloc = bufloc; new_f->fp.sizeloc = sizeloc; |