about summary refs log tree commit diff
path: root/libio/wmemstream.c
diff options
context:
space:
mode:
authorFlorian Weimer <fweimer@redhat.com>2018-06-01 10:41:03 +0200
committerFlorian Weimer <fweimer@redhat.com>2018-06-01 10:41:03 +0200
commit4e8a6346cd3da2d88bbad745a1769260d36f2783 (patch)
treedcf9deeedd5263469fa425574c0ac671a8b43c2a /libio/wmemstream.c
parent50d004c91c942221b862a4a13a4b5f78cfb0d595 (diff)
downloadglibc-4e8a6346cd3da2d88bbad745a1769260d36f2783.tar.gz
glibc-4e8a6346cd3da2d88bbad745a1769260d36f2783.tar.xz
glibc-4e8a6346cd3da2d88bbad745a1769260d36f2783.zip
libio: Avoid _allocate_buffer, _free_buffer function pointers [BZ #23236]
These unmangled function pointers reside on the heap and could
be targeted by exploit writers, effectively bypassing libio vtable
validation.  Instead, we ignore these pointers and always call
malloc or free.

In theory, this is a backwards-incompatible change, but using the
global heap instead of the user-supplied callback functions should
have little application impact.  (The old libstdc++ implementation
exposed this functionality via a public, undocumented constructor
in its strstreambuf class.)
Diffstat (limited to 'libio/wmemstream.c')
-rw-r--r--libio/wmemstream.c4
1 files changed, 2 insertions, 2 deletions
diff --git a/libio/wmemstream.c b/libio/wmemstream.c
index 88044f3150..c92d2da4b2 100644
--- a/libio/wmemstream.c
+++ b/libio/wmemstream.c
@@ -92,8 +92,8 @@ open_wmemstream (wchar_t **bufloc, size_t *sizeloc)
   _IO_wstr_init_static (&new_f->fp._sf._sbf._f, buf,
 			BUFSIZ / sizeof (wchar_t), buf);
   new_f->fp._sf._sbf._f._flags2 &= ~_IO_FLAGS2_USER_WBUF;
-  new_f->fp._sf._s._allocate_buffer = (_IO_alloc_type) malloc;
-  new_f->fp._sf._s._free_buffer = (_IO_free_type) free;
+  new_f->fp._sf._s._allocate_buffer_unused = (_IO_alloc_type) malloc;
+  new_f->fp._sf._s._free_buffer_unused = (_IO_free_type) free;
 
   new_f->fp.bufloc = bufloc;
   new_f->fp.sizeloc = sizeloc;