From edc696a73a7cb07b1aa68792a845a98d036ee7eb Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jos=C3=A9=20Bollo?= <jobol@nonadev.net>
Date: Tue, 8 Mar 2022 09:58:16 +0100
Subject: libio: Ensure output buffer for wchars (bug #28828)

The _IO_wfile_overflow does not check if the write pointer for wide
data is valid before access, different than _IO_file_overflow.  This
leads to crash on some cases, as described by bug 28828.

The minimal sequence to produce the crash was:

  #include <stdio.h>
  #include <wchar.h>
  int main (int ac, char **av)
  {
    setvbuf (stdout, NULL, _IOLBF, 0);
    fgetwc (stdin);
    fputwc (10, stdout); /*CRASH HERE!*/
    return 0;
  }

The "fgetwc(stdin);" is necessary since it triggers the bug by setting
the flag _IO_CURRENTLY_PUTTING on stdout indirectly (file wfileops.c,
function _IO_wfile_underflow, line 213).

Signed-off-by: Jose Bollo <jobol@nonadev.net>
---
 libio/tst-bz28828.input | 1 +
 1 file changed, 1 insertion(+)
 create mode 100644 libio/tst-bz28828.input

(limited to 'libio/tst-bz28828.input')

diff --git a/libio/tst-bz28828.input b/libio/tst-bz28828.input
new file mode 100644
index 0000000000..ce01362503
--- /dev/null
+++ b/libio/tst-bz28828.input
@@ -0,0 +1 @@
+hello
-- 
cgit v1.2.3