about summary refs log tree commit diff
diff options
context:
space:
mode:
authorRich Felker <dalias@aerifal.cx>2018-07-13 21:56:27 -0400
committerRich Felker <dalias@aerifal.cx>2018-07-13 21:56:27 -0400
commit9cad27a3dc1a4eb349b6591e4dc8cc89dce32277 (patch)
tree9346b3dd848090b935d466385c006fdd86263ceb
parent062015204a192dd6ab9663abcc3171b9106d1749 (diff)
downloadmusl-9cad27a3dc1a4eb349b6591e4dc8cc89dce32277.tar.gz
musl-9cad27a3dc1a4eb349b6591e4dc8cc89dce32277.tar.xz
musl-9cad27a3dc1a4eb349b6591e4dc8cc89dce32277.zip
fix writes outside buffer by ungetc after setvbuf
commit 0b80a7b0404b6e49b0b724e3e3fe0ed5af3b08ef, which added non-stub
setvbuf, applied the UNGET pushback adjustment to the size of the
buffer passed in, but inadvertently omitted offsetting the start by
the same amount, thereby allowing unget to clobber up to 8 bytes
before the start of the buffer. this bug was introduced in the present
release cycle; no releases are affected.
-rw-r--r--src/stdio/setvbuf.c2
1 files changed, 1 insertions, 1 deletions
diff --git a/src/stdio/setvbuf.c b/src/stdio/setvbuf.c
index b6b9b018..06ea296c 100644
--- a/src/stdio/setvbuf.c
+++ b/src/stdio/setvbuf.c
@@ -14,7 +14,7 @@ int setvbuf(FILE *restrict f, char *restrict buf, int type, size_t size)
 		f->buf_size = 0;
 	} else {
 		if (buf && size >= UNGET) {
-			f->buf = (void *)buf;
+			f->buf = (void *)(buf + UNGET);
 			f->buf_size = size - UNGET;
 		}
 		if (type == _IOLBF && f->buf_size)