diff options
| author | Adhemerval Zanella <azanella@linux.vnet.ibm.com> | 2014-12-05 07:41:22 -0500 |
|---|---|---|
| committer | Adhemerval Zanella <azanella@linux.vnet.ibm.com> | 2014-12-05 07:41:22 -0500 |
| commit | 9752c3cdbce2b3b8338abf09c8b9dd9e78908b8a (patch) | |
| tree | 8584d933eb5bed98af8b3784a1b3f785c9df8b36 /ChangeLog | |
| parent | 4bee4cd9593610ac1204529076591871b1143c7e (diff) | |
| download | glibc-9752c3cdbce2b3b8338abf09c8b9dd9e78908b8a.tar glibc-9752c3cdbce2b3b8338abf09c8b9dd9e78908b8a.tar.gz glibc-9752c3cdbce2b3b8338abf09c8b9dd9e78908b8a.tar.bz2 glibc-9752c3cdbce2b3b8338abf09c8b9dd9e78908b8a.zip | |
libio: Fix buffer overrun in tst-ftell-active-handler
On 'do_ftell_test' the code:
365 if (test_modes[i].fd_mode != O_WRONLY)
366 {
367 char tmpbuf[data_len];
368
369 rewind (fp);
370
371 while (fgets_func (tmpbuf, sizeof (tmpbuf), fp) && !feof (fp));
The 'data_len' is calculated with wsclen and allocated as 'char'. The
subsequent fgetws will then try to write at most 'data_len' wchar_t
in a buffer with just data_len 'char'. This patch fixes it by
allocating the tmpbuf using 'wchar_t' * data_len bytes.
Diffstat (limited to 'ChangeLog')
| -rw-r--r-- | ChangeLog | 5 |
1 files changed, 5 insertions, 0 deletions
@@ -1,3 +1,8 @@ +2014-12-05 Adhemerval Zanella <azanella@linux.vnet.ibm.com> + + * libio/tst-ftell-active-handler.c (do_ftell_test): Fix buffer overrun + for wide-character tests. + 2014-12-04 Roland McGrath <roland@hack.frob.com> * io/openat64.c: #include <libc-internal.h> |