diff options
author | Adhemerval Zanella <azanella@linux.vnet.ibm.com> | 2014-12-05 07:41:22 -0500 |
---|---|---|
committer | Adhemerval Zanella <azanella@linux.vnet.ibm.com> | 2014-12-05 07:41:22 -0500 |
commit | 9752c3cdbce2b3b8338abf09c8b9dd9e78908b8a (patch) | |
tree | 8584d933eb5bed98af8b3784a1b3f785c9df8b36 /misc/fsync.c | |
parent | 4bee4cd9593610ac1204529076591871b1143c7e (diff) | |
download | glibc-9752c3cdbce2b3b8338abf09c8b9dd9e78908b8a.tar glibc-9752c3cdbce2b3b8338abf09c8b9dd9e78908b8a.tar.gz glibc-9752c3cdbce2b3b8338abf09c8b9dd9e78908b8a.tar.bz2 glibc-9752c3cdbce2b3b8338abf09c8b9dd9e78908b8a.zip |
libio: Fix buffer overrun in tst-ftell-active-handler
On 'do_ftell_test' the code:
365 if (test_modes[i].fd_mode != O_WRONLY)
366 {
367 char tmpbuf[data_len];
368
369 rewind (fp);
370
371 while (fgets_func (tmpbuf, sizeof (tmpbuf), fp) && !feof (fp));
The 'data_len' is calculated with wsclen and allocated as 'char'. The
subsequent fgetws will then try to write at most 'data_len' wchar_t
in a buffer with just data_len 'char'. This patch fixes it by
allocating the tmpbuf using 'wchar_t' * data_len bytes.
Diffstat (limited to 'misc/fsync.c')
0 files changed, 0 insertions, 0 deletions