about summary refs log tree commit diff
path: root/libio
diff options
context:
space:
mode:
authorAdhemerval Zanella <azanella@linux.vnet.ibm.com>2014-12-05 07:41:22 -0500
committerAdhemerval Zanella <azanella@linux.vnet.ibm.com>2014-12-05 07:41:22 -0500
commit9752c3cdbce2b3b8338abf09c8b9dd9e78908b8a (patch)
tree8584d933eb5bed98af8b3784a1b3f785c9df8b36 /libio
parent4bee4cd9593610ac1204529076591871b1143c7e (diff)
downloadglibc-9752c3cdbce2b3b8338abf09c8b9dd9e78908b8a.tar.gz
glibc-9752c3cdbce2b3b8338abf09c8b9dd9e78908b8a.tar.xz
glibc-9752c3cdbce2b3b8338abf09c8b9dd9e78908b8a.zip
libio: Fix buffer overrun in tst-ftell-active-handler
On 'do_ftell_test' the code:

365           if (test_modes[i].fd_mode != O_WRONLY)
366             {
367               char tmpbuf[data_len];
368
369               rewind (fp);
370
371               while (fgets_func (tmpbuf, sizeof (tmpbuf), fp) && !feof (fp));

The 'data_len' is calculated with wsclen and allocated as 'char'.  The
subsequent fgetws will then try to write at most 'data_len' wchar_t
in a buffer with just data_len 'char'.  This patch fixes it by
allocating the tmpbuf using 'wchar_t' * data_len bytes.
Diffstat (limited to 'libio')
-rw-r--r--libio/tst-ftell-active-handler.c7
1 files changed, 5 insertions, 2 deletions
diff --git a/libio/tst-ftell-active-handler.c b/libio/tst-ftell-active-handler.c
index f69e16922a..44a4facaf7 100644
--- a/libio/tst-ftell-active-handler.c
+++ b/libio/tst-ftell-active-handler.c
@@ -84,6 +84,7 @@ static const char *char_data = "abcdef";
 static const wchar_t *wide_data = L"abcdef";
 static size_t data_len;
 static size_t file_len;
+static size_t char_len;
 
 typedef int (*fputs_func_t) (const void *data, FILE *fp);
 typedef void *(*fgets_func_t) (void *ws, int n, FILE *fp);
@@ -364,11 +365,11 @@ do_ftell_test (const char *filename)
 	     reading.  */
 	  if (test_modes[i].fd_mode != O_WRONLY)
 	    {
-	      char tmpbuf[data_len];
+	      char tmpbuf[data_len * char_len];
 
 	      rewind (fp);
 
-	      while (fgets_func (tmpbuf, sizeof (tmpbuf), fp) && !feof (fp));
+	      while (fgets_func (tmpbuf, data_len, fp) && !feof (fp));
 
 	      write_ret = write (fd, data, data_len);
 	      if (write_ret != data_len)
@@ -656,6 +657,7 @@ do_test (void)
   fgets_func = (fgets_func_t) fgets;
   data = char_data;
   data_len = strlen (char_data);
+  char_len = sizeof (char);
   ret |= do_one_test (filename);
 
   /* Truncate the file before repeating the tests in wide mode.  */
@@ -678,6 +680,7 @@ do_test (void)
   fgets_func = (fgets_func_t) fgetws;
   data = wide_data;
   data_len = wcslen (wide_data);
+  char_len = sizeof (wchar_t);
   ret |= do_one_test (filename);
 
   return ret;