From 3007f797a1a596e954f44879a5a7267966186ba4 Mon Sep 17 00:00:00 2001 From: Mike Frysinger Date: Fri, 28 Aug 2015 17:08:49 -0400 Subject: getmntent: fix memory corruption w/blank lines [BZ #18887] The fix for BZ #17273 introduced a single byte of memory corruption when the line is entirely blank. It would walk back past the start of the buffer if the heap happened to be 0x20 or 0x09 and then write a NUL byte. buffer = '\n'; end_ptr = buffer; while (end_ptr[-1] == ' ' || end_ptr[-1] == '\t') end_ptr--; *end_ptr = '\0'; Fix that and rework the tests. Adding the testcase for BZ #17273 to the existing \040 parser does not really make sense as it's unrelated, and leads to confusing behavior: it implicitly relies on the new entry being longer than the previous entry (since it just rewinds the FILE*). Split it out into its own dedicated testcase instead. (cherry picked from commit b0e805fa0d6fea33745952df7b7f5442ca4c374f) --- ChangeLog | 10 ++++++++++ 1 file changed, 10 insertions(+) (limited to 'ChangeLog') diff --git a/ChangeLog b/ChangeLog index 8230149d4a..f3027b02cd 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,13 @@ +2015-08-28 Mike Frysinger + + [BZ #18887] + * misc/Makefile (tests): Add tst-mntent-blank-corrupt and + tst-mntent-blank-passno. + * misc/mntent_r.c (__getmntent_r): Do not read past buffer[0]. + * misc/tst-mntent-blank-corrupt.c: New test. + * misc/tst-mntent-blank-passno.c: New test ripped from ... + * misc/tst-mntent.c (do_test): ... here. + 2015-08-25 Roland McGrath * sysdeps/nacl/start.c (_start): Call __nacl_main instead of main -- cgit 1.4.1