diff options
author | Rich Felker <dalias@aerifal.cx> | 2012-04-17 10:58:02 -0400 |
---|---|---|
committer | Rich Felker <dalias@aerifal.cx> | 2012-04-17 10:58:02 -0400 |
commit | b5a8b28915aad17b6f49ccacd6d3fef3890844d1 (patch) | |
tree | 4e99ccfebc80ef47789e1457fa675381f6514492 /src/prng/rand_r.c | |
parent | cc3a4466605fe8dfc31f3b75779110ac93055bc1 (diff) | |
download | musl-b5a8b28915aad17b6f49ccacd6d3fef3890844d1.tar.gz musl-b5a8b28915aad17b6f49ccacd6d3fef3890844d1.tar.xz musl-b5a8b28915aad17b6f49ccacd6d3fef3890844d1.zip |
fix buffer overflow in vfprintf on long writes to unbuffered files
vfprintf temporarily swaps in a local buffer (for the duration of the operation) when the target stream is unbuffered; this both simplifies the implementation of functions like dprintf (they don't need their own buffers) and eliminates the pathologically bad performance of writing the formatted output with one or more write syscalls per formatting field. in cases like dprintf where we are dealing with a virgin FILE structure, everything worked correctly. however for long-lived files (like stderr), it's possible that the buffer bounds were already set for the internal zero-size buffer. on the next write, __stdio_write would pick up and use the new buffer provided by vfprintf, but the bound (wend) field was still pointing at the internal zero-size buffer's end. this in turn allowed unbounded writes to the temporary buffer.
Diffstat (limited to 'src/prng/rand_r.c')
0 files changed, 0 insertions, 0 deletions