From patchwork Thu Jun 25 12:23:29 2015 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Andreas Schwab X-Patchwork-Id: 488440 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from sourceware.org (server1.sourceware.org [209.132.180.131]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 5724C1402EC for ; Thu, 25 Jun 2015 22:23:40 +1000 (AEST) Authentication-Results: ozlabs.org; dkim=pass (1024-bit key; unprotected) header.d=sourceware.org header.i=@sourceware.org header.b=dsLbOoBj; dkim-atps=neutral DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id :list-unsubscribe:list-subscribe:list-archive:list-post :list-help:sender:from:to:subject:date:message-id:mime-version :content-type; q=dns; s=default; b=NHiAfCU2/v9D6sLv9VS7ZpR3+FZ9p xIygzFv9VuwzPPDGQGPTGOIw6wDoS/HiXHDEHrJcR9lv8HMaKO+oIDMDutcAiKxg wZ1P6AIyQ/kfM9PFtsSY+Pj5bKQpeKUKcsCkAMyrcnfg2IKd3ssJNymVPre/dwLm 80kj94zgyg6URg= DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id :list-unsubscribe:list-subscribe:list-archive:list-post :list-help:sender:from:to:subject:date:message-id:mime-version :content-type; s=default; bh=vQ79/MB47+Mneiw3ReB5HvJI0dY=; b=dsL bOoBjkZGI2Q4hAERU4pMHT+2Ox/1KgF9W3D4gEJd8a8BzUDapGZHTOgqGfOwSiJ4 w0nsGUXN66o3jMVzDtxobRSdHJFmQEbY10G5ZAr5XFuZQZ3ZSpX7Pi3yFaSLgnL2 g2qqN+qMDvGa1WV5HoBXQSBr+y6HK9rfOjYJjyNY= Received: (qmail 46759 invoked by alias); 25 Jun 2015 12:23:34 -0000 Mailing-List: contact libc-alpha-help@sourceware.org; run by ezmlm Precedence: bulk List-Id: List-Unsubscribe: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: libc-alpha-owner@sourceware.org Delivered-To: mailing list libc-alpha@sourceware.org Received: (qmail 46720 invoked by uid 89); 25 Jun 2015 12:23:33 -0000 Authentication-Results: sourceware.org; auth=none X-Virus-Found: No X-Spam-SWARE-Status: No, score=-3.0 required=5.0 tests=AWL, BAYES_00, KAM_LAZY_DOMAIN_SECURITY, RP_MATCHES_RCVD autolearn=ham version=3.3.2 X-HELO: mx2.suse.de From: Andreas Schwab To: libc-alpha@sourceware.org Subject: [PATCH] Fix buffer overflow for writes to memory buffer stream (bug 18549) X-Yow: How do you explain Wayne Newton's POWER over millions? It's th' MOUSTACHE... Have you ever noticed th' way it radiates SINCERITY, HONESTY & WARMTH? It's a MOUSTACHE you want to take HOME and introduce to NANCY SINATRA! Date: Thu, 25 Jun 2015 14:23:29 +0200 Message-ID: User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.5 (gnu/linux) MIME-Version: 1.0 Tested on x86_64-suse-linux. Andreas. [BZ #18549] * libio/fmemopen.c (fmemopen_write): Fix bounds check for ENOSPC. * libio/test-fmemopen.c (do_test): Add test for it. --- libio/fmemopen.c | 2 +- libio/test-fmemopen.c | 13 +++++++++++-- 2 files changed, 12 insertions(+), 3 deletions(-) diff --git a/libio/fmemopen.c b/libio/fmemopen.c index 6c50fba..06e5ab8 100644 --- a/libio/fmemopen.c +++ b/libio/fmemopen.c @@ -124,7 +124,7 @@ fmemopen_write (void *cookie, const char *b, size_t s) if (c->pos + s + addnullc > c->size) { - if ((size_t) (c->pos + addnullc) == c->size) + if ((size_t) (c->pos + addnullc) >= c->size) { __set_errno (ENOSPC); return 0; diff --git a/libio/test-fmemopen.c b/libio/test-fmemopen.c index cddf0cf..63ca89f 100644 --- a/libio/test-fmemopen.c +++ b/libio/test-fmemopen.c @@ -21,21 +21,30 @@ static char buffer[] = "foobar"; #include #include +#include static int do_test (void) { int ch; FILE *stream; + int ret = 0; - stream = fmemopen (buffer, strlen (buffer), "r"); + stream = fmemopen (buffer, strlen (buffer), "r+"); while ((ch = fgetc (stream)) != EOF) printf ("Got %c\n", ch); + fputc ('1', stream); + if (fflush (stream) != EOF || errno != ENOSPC) + { + printf ("fflush didn't fail with ENOSPC\n"); + ret = 1; + } + fclose (stream); - return 0; + return ret; } #define TEST_FUNCTION do_test ()