about summary refs log tree commit diff
path: root/libio
diff options
context:
space:
mode:
authorAndreas Schwab <schwab@suse.de>2015-06-25 11:53:06 +0200
committerAndreas Schwab <schwab@suse.de>2015-06-25 15:54:09 +0200
commit7c2ce714d4e853aadbec13b920576fdfada520f1 (patch)
tree90876240dcbfc51809b22803b0b05054ead2bade /libio
parentcc08749b2d1c68284b25b157fbbe1ff219495cae (diff)
downloadglibc-7c2ce714d4e853aadbec13b920576fdfada520f1.tar.gz
glibc-7c2ce714d4e853aadbec13b920576fdfada520f1.tar.xz
glibc-7c2ce714d4e853aadbec13b920576fdfada520f1.zip
Fix buffer overflow for writes to memory buffer stream (bug 18549)
Diffstat (limited to 'libio')
-rw-r--r--libio/fmemopen.c2
-rw-r--r--libio/test-fmemopen.c13
2 files changed, 12 insertions, 3 deletions
diff --git a/libio/fmemopen.c b/libio/fmemopen.c
index 6c50fba221..06e5ab8002 100644
--- a/libio/fmemopen.c
+++ b/libio/fmemopen.c
@@ -124,7 +124,7 @@ fmemopen_write (void *cookie, const char *b, size_t s)
 
   if (c->pos + s + addnullc > c->size)
     {
-      if ((size_t) (c->pos + addnullc) == c->size)
+      if ((size_t) (c->pos + addnullc) >= c->size)
 	{
 	  __set_errno (ENOSPC);
 	  return 0;
diff --git a/libio/test-fmemopen.c b/libio/test-fmemopen.c
index cddf0cf5e1..63ca89f300 100644
--- a/libio/test-fmemopen.c
+++ b/libio/test-fmemopen.c
@@ -21,21 +21,30 @@ static char buffer[] = "foobar";
 
 #include <stdio.h>
 #include <string.h>
+#include <errno.h>
 
 static int
 do_test (void)
 {
   int ch;
   FILE *stream;
+  int ret = 0;
 
-  stream = fmemopen (buffer, strlen (buffer), "r");
+  stream = fmemopen (buffer, strlen (buffer), "r+");
 
   while ((ch = fgetc (stream)) != EOF)
     printf ("Got %c\n", ch);
 
+  fputc ('1', stream);
+  if (fflush (stream) != EOF || errno != ENOSPC)
+    {
+      printf ("fflush didn't fail with ENOSPC\n");
+      ret = 1;
+    }
+
   fclose (stream);
 
-  return 0;
+  return ret;
 }
 
 #define TEST_FUNCTION do_test ()