summary refs log tree commit diff
path: root/wcsmbs/wcsdup.c
diff options
context:
space:
mode:
authorJosé Bollo <jobol@nonadev.net>2022-03-08 09:58:16 +0100
committerAdhemerval Zanella <adhemerval.zanella@linaro.org>2022-03-08 14:25:32 -0300
commitedc696a73a7cb07b1aa68792a845a98d036ee7eb (patch)
tree1702a42530d36697bfdb4f9dbe1426b306e47f88 /wcsmbs/wcsdup.c
parent2da6e439164c54bac4d5fd1320e32f8e16c1a6be (diff)
downloadglibc-edc696a73a7cb07b1aa68792a845a98d036ee7eb.tar.gz
glibc-edc696a73a7cb07b1aa68792a845a98d036ee7eb.tar.xz
glibc-edc696a73a7cb07b1aa68792a845a98d036ee7eb.zip
libio: Ensure output buffer for wchars (bug #28828)
The _IO_wfile_overflow does not check if the write pointer for wide
data is valid before access, different than _IO_file_overflow.  This
leads to crash on some cases, as described by bug 28828.

The minimal sequence to produce the crash was:

  #include <stdio.h>
  #include <wchar.h>
  int main (int ac, char **av)
  {
    setvbuf (stdout, NULL, _IOLBF, 0);
    fgetwc (stdin);
    fputwc (10, stdout); /*CRASH HERE!*/
    return 0;
  }

The "fgetwc(stdin);" is necessary since it triggers the bug by setting
the flag _IO_CURRENTLY_PUTTING on stdout indirectly (file wfileops.c,
function _IO_wfile_underflow, line 213).

Signed-off-by: Jose Bollo <jobol@nonadev.net>
Diffstat (limited to 'wcsmbs/wcsdup.c')
0 files changed, 0 insertions, 0 deletions