From 32ff397533715988c19cbf3675dcbd727ec13e18 Mon Sep 17 00:00:00 2001
From: Andreas Schwab <schwab@suse.de>
Date: Tue, 14 May 2019 17:14:59 +0200
Subject: Fix crash in _IO_wfile_sync (bug 20568)

When computing the length of the converted part of the stdio buffer, use
the number of consumed wide characters, not the (negative) distance to the
end of the wide buffer.
---
 libio/wfileops.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

(limited to 'libio/wfileops.c')

diff --git a/libio/wfileops.c b/libio/wfileops.c
index 0367643703..69fbb62a02 100644
--- a/libio/wfileops.c
+++ b/libio/wfileops.c
@@ -508,11 +508,12 @@ _IO_wfile_sync (FILE *fp)
 	     generate the wide characters up to the current reading
 	     position.  */
 	  int nread;
-
+	  size_t wnread = (fp->_wide_data->_IO_read_ptr
+			   - fp->_wide_data->_IO_read_base);
 	  fp->_wide_data->_IO_state = fp->_wide_data->_IO_last_state;
 	  nread = (*cv->__codecvt_do_length) (cv, &fp->_wide_data->_IO_state,
 					      fp->_IO_read_base,
-					      fp->_IO_read_end, delta);
+					      fp->_IO_read_end, wnread);
 	  fp->_IO_read_ptr = fp->_IO_read_base + nread;
 	  delta = -(fp->_IO_read_end - fp->_IO_read_base - nread);
 	}
-- 
cgit 1.4.1