diff options
author | Mike Frysinger <vapier@gentoo.org> | 2015-08-28 17:08:49 -0400 |
---|---|---|
committer | Mike Frysinger <vapier@gentoo.org> | 2015-08-29 18:07:00 -0400 |
commit | b0e805fa0d6fea33745952df7b7f5442ca4c374f (patch) | |
tree | 1912c70048e9a9a4a48681f37d0dd692265cd693 /misc/mntent_r.c | |
parent | 30da407eca459329e060d0412c3fa6710f657e83 (diff) | |
download | glibc-b0e805fa0d6fea33745952df7b7f5442ca4c374f.tar.gz glibc-b0e805fa0d6fea33745952df7b7f5442ca4c374f.tar.xz glibc-b0e805fa0d6fea33745952df7b7f5442ca4c374f.zip |
getmntent: fix memory corruption w/blank lines [BZ #18887]
The fix for BZ #17273 introduced a single byte of memory corruption when the line is entirely blank. It would walk back past the start of the buffer if the heap happened to be 0x20 or 0x09 and then write a NUL byte. buffer = '\n'; end_ptr = buffer; while (end_ptr[-1] == ' ' || end_ptr[-1] == '\t') end_ptr--; *end_ptr = '\0'; Fix that and rework the tests. Adding the testcase for BZ #17273 to the existing \040 parser does not really make sense as it's unrelated, and leads to confusing behavior: it implicitly relies on the new entry being longer than the previous entry (since it just rewinds the FILE*). Split it out into its own dedicated testcase instead.
Diffstat (limited to 'misc/mntent_r.c')
-rw-r--r-- | misc/mntent_r.c | 4 |
1 files changed, 3 insertions, 1 deletions
diff --git a/misc/mntent_r.c b/misc/mntent_r.c index 615987347a..4f269984d7 100644 --- a/misc/mntent_r.c +++ b/misc/mntent_r.c @@ -136,7 +136,9 @@ __getmntent_r (FILE *stream, struct mntent *mp, char *buffer, int bufsiz) end_ptr = strchr (buffer, '\n'); if (end_ptr != NULL) /* chop newline */ { - while (end_ptr[-1] == ' ' || end_ptr[-1] == '\t') + /* Do not walk past the start of buffer if it's all whitespace. */ + while (end_ptr != buffer + && (end_ptr[-1] == ' ' || end_ptr[-1] == '\t')) end_ptr--; *end_ptr = '\0'; } |