Fix buffer overflow for writes to memory buffer stream (bug 18549)

author: Andreas Schwab <schwab@suse.de> 2015-06-25 11:53:06 +0200
committer: Andreas Schwab <schwab@suse.de> 2015-06-25 15:54:09 +0200
commit: 7c2ce714d4e853aadbec13b920576fdfada520f1 (patch)
tree: 90876240dcbfc51809b22803b0b05054ead2bade
parent: cc08749b2d1c68284b25b157fbbe1ff219495cae (diff)
download: glibc-7c2ce714d4e853aadbec13b920576fdfada520f1.tar
glibc-7c2ce714d4e853aadbec13b920576fdfada520f1.tar.gz
glibc-7c2ce714d4e853aadbec13b920576fdfada520f1.tar.bz2
glibc-7c2ce714d4e853aadbec13b920576fdfada520f1.zip
4 files changed, 20 insertions, 4 deletions
diff --git a/ChangeLog b/ChangeLog
index 7fe8b82196..76b303e4ec 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,9 @@
+2015-06-25  Andreas Schwab  <schwab@suse.de>
+
+	[BZ #18549]
+	* libio/fmemopen.c (fmemopen_write): Fix bounds check for ENOSPC.
+	* libio/test-fmemopen.c (do_test): Add test for it.
+
 2015-06-25  H.J. Lu  <hongjiu.lu@intel.com>
 
 	[BZ #17841]
diff --git a/NEWS b/NEWS
index 58f85e79bb..35a077e255 100644
--- a/NEWS
+++ b/NEWS
@@ -24,7 +24,8 @@ Version 2.22
   18434, 18444, 18468, 18469, 18470, 18479, 18483, 18495, 18496, 18497,
   18498, 18507, 18512, 18513, 18519, 18520, 18522, 18527, 18528, 18529,
   18530, 18532, 18533, 18534, 18536, 18539, 18540, 18542, 18544, 18545,
-  18546, 18547, 18553, 18558, 18569, 18583, 18585, 18586, 18593, 18594.
+  18546, 18547, 18549, 18553, 18558, 18569, 18583, 18585, 18586, 18593,
+  18594.
 
 * Cache information can be queried via sysconf() function on s390 e.g. with
   _SC_LEVEL1_ICACHE_SIZE as argument.
diff --git a/libio/fmemopen.c b/libio/fmemopen.c
index 6c50fba221..06e5ab8002 100644
--- a/libio/fmemopen.c
+++ b/libio/fmemopen.c
@@ -124,7 +124,7 @@ fmemopen_write (void *cookie, const char *b, size_t s)
 
   if (c->pos + s + addnullc > c->size)
     {
-      if ((size_t) (c->pos + addnullc) == c->size)
+      if ((size_t) (c->pos + addnullc) >= c->size)
 	{
 	  __set_errno (ENOSPC);
 	  return 0;
diff --git a/libio/test-fmemopen.c b/libio/test-fmemopen.c
index cddf0cf5e1..63ca89f300 100644
--- a/libio/test-fmemopen.c
+++ b/libio/test-fmemopen.c
@@ -21,21 +21,30 @@ static char buffer[] = "foobar";
 
 #include <stdio.h>
 #include <string.h>
+#include <errno.h>
 
 static int
 do_test (void)
 {
   int ch;
   FILE *stream;
+  int ret = 0;
 
-  stream = fmemopen (buffer, strlen (buffer), "r");
+  stream = fmemopen (buffer, strlen (buffer), "r+");
 
   while ((ch = fgetc (stream)) != EOF)
     printf ("Got %c\n", ch);
 
+  fputc ('1', stream);
+  if (fflush (stream) != EOF || errno != ENOSPC)
+    {
+      printf ("fflush didn't fail with ENOSPC\n");
+      ret = 1;
+    }
+
   fclose (stream);
 
-  return 0;
+  return ret;
 }
 
 #define TEST_FUNCTION do_test ()
author	Andreas Schwab <schwab@suse.de>	2015-06-25 11:53:06 +0200
committer	Andreas Schwab <schwab@suse.de>	2015-06-25 15:54:09 +0200
commit	7c2ce714d4e853aadbec13b920576fdfada520f1 (patch)
tree	90876240dcbfc51809b22803b0b05054ead2bade
parent	cc08749b2d1c68284b25b157fbbe1ff219495cae (diff)
download	glibc-7c2ce714d4e853aadbec13b920576fdfada520f1.tar glibc-7c2ce714d4e853aadbec13b920576fdfada520f1.tar.gz glibc-7c2ce714d4e853aadbec13b920576fdfada520f1.tar.bz2 glibc-7c2ce714d4e853aadbec13b920576fdfada520f1.zip