[Bug stdio/20938] In variable-width charsets, _IO_wfile_sync passes a negative buffer size to __codecvt_do_length on certain inputs to fgetws resulting in SIGSEGV

["catqueen2 at protonmail dot ch" <sourceware-bugzilla at sourceware dot org>]

https://sourceware.org/bugzilla/show_bug.cgi?id=20938

--- Comment #4 from cat stevens <catqueen2 at protonmail dot ch> ---
Comment on attachment 9693
  --> https://sourceware.org/bugzilla/attachment.cgi?id=9693
Fix wfileops.c to never use a negative delta (swap the pointer subtraction and
always use ssize_t)

>diff --git a/libio/wfileops.c b/libio/wfileops.c
>index d88d08a..5b68100 100644
>--- a/libio/wfileops.c
>+++ b/libio/wfileops.c
>@@ -498,14 +498,15 @@ libc_hidden_def (_IO_wfile_overflow)
> wint_t
> _IO_wfile_sync (_IO_FILE *fp)
> {
>-  _IO_ssize_t delta;
>+  _IO_size_t delta;
>   wint_t retval = 0;
> 
>   /*    char* ptr = cur_ptr(); */
>   if (fp->_wide_data->_IO_write_ptr > fp->_wide_data->_IO_write_base)
>     if (_IO_do_flush (fp))
>       return WEOF;
>-  delta = fp->_wide_data->_IO_read_ptr - fp->_wide_data->_IO_read_end;
>+  /* subtract read_ptr from read_end because read_end will always be greater */
>+  delta = fp->_wide_data->_IO_read_end - fp->_wide_data->_IO_read_ptr;
>   if (delta != 0)
>     {
>       /* We have to find out how many bytes we have to go back in the
>@@ -530,7 +531,8 @@ _IO_wfile_sync (_IO_FILE *fp)
>          fp->_wide_data->_IO_state = fp->_wide_data->_IO_last_state;
>          nread = (*cv->__codecvt_do_length) (cv, &fp->_wide_data->_IO_state,
>                                              fp->_IO_read_base,
>-                                             fp->_IO_read_end, delta);
>+                                             fp->_IO_read_end,
>+                delta);
>          fp->_IO_read_ptr = fp->_IO_read_base + nread;
>          delta = -(fp->_IO_read_end - fp->_IO_read_base - nread);
>        }

-- 
You are receiving this mail because:
You are on the CC list for the bug.