diff options
author | Adhemerval Zanella <azanella@linux.vnet.ibm.com> | 2014-12-05 07:41:22 -0500 |
---|---|---|
committer | Adhemerval Zanella <azanella@linux.vnet.ibm.com> | 2014-12-05 07:41:22 -0500 |
commit | 9752c3cdbce2b3b8338abf09c8b9dd9e78908b8a (patch) | |
tree | 8584d933eb5bed98af8b3784a1b3f785c9df8b36 /libio | |
parent | 4bee4cd9593610ac1204529076591871b1143c7e (diff) | |
download | glibc-9752c3cdbce2b3b8338abf09c8b9dd9e78908b8a.tar.gz glibc-9752c3cdbce2b3b8338abf09c8b9dd9e78908b8a.tar.xz glibc-9752c3cdbce2b3b8338abf09c8b9dd9e78908b8a.zip |
libio: Fix buffer overrun in tst-ftell-active-handler
On 'do_ftell_test' the code: 365 if (test_modes[i].fd_mode != O_WRONLY) 366 { 367 char tmpbuf[data_len]; 368 369 rewind (fp); 370 371 while (fgets_func (tmpbuf, sizeof (tmpbuf), fp) && !feof (fp)); The 'data_len' is calculated with wsclen and allocated as 'char'. The subsequent fgetws will then try to write at most 'data_len' wchar_t in a buffer with just data_len 'char'. This patch fixes it by allocating the tmpbuf using 'wchar_t' * data_len bytes.
Diffstat (limited to 'libio')
-rw-r--r-- | libio/tst-ftell-active-handler.c | 7 |
1 files changed, 5 insertions, 2 deletions
diff --git a/libio/tst-ftell-active-handler.c b/libio/tst-ftell-active-handler.c index f69e16922a..44a4facaf7 100644 --- a/libio/tst-ftell-active-handler.c +++ b/libio/tst-ftell-active-handler.c @@ -84,6 +84,7 @@ static const char *char_data = "abcdef"; static const wchar_t *wide_data = L"abcdef"; static size_t data_len; static size_t file_len; +static size_t char_len; typedef int (*fputs_func_t) (const void *data, FILE *fp); typedef void *(*fgets_func_t) (void *ws, int n, FILE *fp); @@ -364,11 +365,11 @@ do_ftell_test (const char *filename) reading. */ if (test_modes[i].fd_mode != O_WRONLY) { - char tmpbuf[data_len]; + char tmpbuf[data_len * char_len]; rewind (fp); - while (fgets_func (tmpbuf, sizeof (tmpbuf), fp) && !feof (fp)); + while (fgets_func (tmpbuf, data_len, fp) && !feof (fp)); write_ret = write (fd, data, data_len); if (write_ret != data_len) @@ -656,6 +657,7 @@ do_test (void) fgets_func = (fgets_func_t) fgets; data = char_data; data_len = strlen (char_data); + char_len = sizeof (char); ret |= do_one_test (filename); /* Truncate the file before repeating the tests in wide mode. */ @@ -678,6 +680,7 @@ do_test (void) fgets_func = (fgets_func_t) fgetws; data = wide_data; data_len = wcslen (wide_data); + char_len = sizeof (wchar_t); ret |= do_one_test (filename); return ret; |