diff options
| author | José Bollo <jobol@nonadev.net> | 2022-03-08 09:58:16 +0100 |
|---|---|---|
| committer | Adhemerval Zanella <adhemerval.zanella@linaro.org> | 2022-03-08 14:25:32 -0300 |
| commit | edc696a73a7cb07b1aa68792a845a98d036ee7eb (patch) | |
| tree | 1702a42530d36697bfdb4f9dbe1426b306e47f88 /libio/wfileops.c | |
| parent | 2da6e439164c54bac4d5fd1320e32f8e16c1a6be (diff) | |
| download | glibc-edc696a73a7cb07b1aa68792a845a98d036ee7eb.tar.gz glibc-edc696a73a7cb07b1aa68792a845a98d036ee7eb.tar.xz glibc-edc696a73a7cb07b1aa68792a845a98d036ee7eb.zip | |
libio: Ensure output buffer for wchars (bug #28828)
The _IO_wfile_overflow does not check if the write pointer for wide
data is valid before access, different than _IO_file_overflow. This
leads to crash on some cases, as described by bug 28828.
The minimal sequence to produce the crash was:
#include <stdio.h>
#include <wchar.h>
int main (int ac, char **av)
{
setvbuf (stdout, NULL, _IOLBF, 0);
fgetwc (stdin);
fputwc (10, stdout); /*CRASH HERE!*/
return 0;
}
The "fgetwc(stdin);" is necessary since it triggers the bug by setting
the flag _IO_CURRENTLY_PUTTING on stdout indirectly (file wfileops.c,
function _IO_wfile_underflow, line 213).
Signed-off-by: Jose Bollo <jobol@nonadev.net>
Diffstat (limited to 'libio/wfileops.c')
| -rw-r--r-- | libio/wfileops.c | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/libio/wfileops.c b/libio/wfileops.c index fb9d45b677..b59a98881f 100644 --- a/libio/wfileops.c +++ b/libio/wfileops.c @@ -412,7 +412,8 @@ _IO_wfile_overflow (FILE *f, wint_t wch) return WEOF; } /* If currently reading or no buffer allocated. */ - if ((f->_flags & _IO_CURRENTLY_PUTTING) == 0) + if ((f->_flags & _IO_CURRENTLY_PUTTING) == 0 + || f->_wide_data->_IO_write_base == NULL) { /* Allocate a buffer if needed. */ if (f->_wide_data->_IO_write_base == 0) |