This is the mail archive of the
libc-alpha@sourceware.org
mailing list for the glibc project.
[PATCH] Fix buffer overflow for writes to memory buffer stream (bug 18549)
- From: Andreas Schwab <schwab at suse dot de>
- To: libc-alpha at sourceware dot org
- Date: Thu, 25 Jun 2015 14:23:29 +0200
- Subject: [PATCH] Fix buffer overflow for writes to memory buffer stream (bug 18549)
- Authentication-results: sourceware.org; auth=none
Tested on x86_64-suse-linux.
Andreas.
[BZ #18549]
* libio/fmemopen.c (fmemopen_write): Fix bounds check for ENOSPC.
* libio/test-fmemopen.c (do_test): Add test for it.
---
libio/fmemopen.c | 2 +-
libio/test-fmemopen.c | 13 +++++++++++--
2 files changed, 12 insertions(+), 3 deletions(-)
diff --git a/libio/fmemopen.c b/libio/fmemopen.c
index 6c50fba..06e5ab8 100644
--- a/libio/fmemopen.c
+++ b/libio/fmemopen.c
@@ -124,7 +124,7 @@ fmemopen_write (void *cookie, const char *b, size_t s)
if (c->pos + s + addnullc > c->size)
{
- if ((size_t) (c->pos + addnullc) == c->size)
+ if ((size_t) (c->pos + addnullc) >= c->size)
{
__set_errno (ENOSPC);
return 0;
diff --git a/libio/test-fmemopen.c b/libio/test-fmemopen.c
index cddf0cf..63ca89f 100644
--- a/libio/test-fmemopen.c
+++ b/libio/test-fmemopen.c
@@ -21,21 +21,30 @@ static char buffer[] = "foobar";
#include <stdio.h>
#include <string.h>
+#include <errno.h>
static int
do_test (void)
{
int ch;
FILE *stream;
+ int ret = 0;
- stream = fmemopen (buffer, strlen (buffer), "r");
+ stream = fmemopen (buffer, strlen (buffer), "r+");
while ((ch = fgetc (stream)) != EOF)
printf ("Got %c\n", ch);
+ fputc ('1', stream);
+ if (fflush (stream) != EOF || errno != ENOSPC)
+ {
+ printf ("fflush didn't fail with ENOSPC\n");
+ ret = 1;
+ }
+
fclose (stream);
- return 0;
+ return ret;
}
#define TEST_FUNCTION do_test ()
--
2.4.4
--
Andreas Schwab, SUSE Labs, schwab@suse.de
GPG Key fingerprint = 0196 BAD8 1CE9 1970 F4BE 1748 E4D4 88E3 0EEA B9D7
"And now for something completely different."