diff options
| author | José Bollo <jobol@nonadev.net> | 2022-03-08 09:58:16 +0100 |
|---|---|---|
| committer | Adhemerval Zanella <adhemerval.zanella@linaro.org> | 2022-03-08 14:25:32 -0300 |
| commit | edc696a73a7cb07b1aa68792a845a98d036ee7eb (patch) | |
| tree | 1702a42530d36697bfdb4f9dbe1426b306e47f88 /rt/mq_open.c | |
| parent | 2da6e439164c54bac4d5fd1320e32f8e16c1a6be (diff) | |
| download | glibc-edc696a73a7cb07b1aa68792a845a98d036ee7eb.tar.gz glibc-edc696a73a7cb07b1aa68792a845a98d036ee7eb.tar.xz glibc-edc696a73a7cb07b1aa68792a845a98d036ee7eb.zip | |
libio: Ensure output buffer for wchars (bug #28828)
The _IO_wfile_overflow does not check if the write pointer for wide
data is valid before access, different than _IO_file_overflow. This
leads to crash on some cases, as described by bug 28828.
The minimal sequence to produce the crash was:
#include <stdio.h>
#include <wchar.h>
int main (int ac, char **av)
{
setvbuf (stdout, NULL, _IOLBF, 0);
fgetwc (stdin);
fputwc (10, stdout); /*CRASH HERE!*/
return 0;
}
The "fgetwc(stdin);" is necessary since it triggers the bug by setting
the flag _IO_CURRENTLY_PUTTING on stdout indirectly (file wfileops.c,
function _IO_wfile_underflow, line 213).
Signed-off-by: Jose Bollo <jobol@nonadev.net>
Diffstat (limited to 'rt/mq_open.c')
0 files changed, 0 insertions, 0 deletions