Fix buffer overflow for writes to memory buffer stream (bug 18549)

ChangeLog

@@ -1,3 +1,9 @@
+2015-06-25  Andreas Schwab  <schwab@suse.de>
+
+	[BZ #18549]
+	* libio/fmemopen.c (fmemopen_write): Fix bounds check for ENOSPC.
+	* libio/test-fmemopen.c (do_test): Add test for it.
+
 2015-06-25  H.J. Lu  <hongjiu.lu@intel.com>
 
 	[BZ #17841]

NEWS

@@ -24,7 +24,8 @@ Version 2.22
   18434, 18444, 18468, 18469, 18470, 18479, 18483, 18495, 18496, 18497,
   18498, 18507, 18512, 18513, 18519, 18520, 18522, 18527, 18528, 18529,
   18530, 18532, 18533, 18534, 18536, 18539, 18540, 18542, 18544, 18545,
-  18546, 18547, 18553, 18558, 18569, 18583, 18585, 18586, 18593, 18594.
+  18546, 18547, 18549, 18553, 18558, 18569, 18583, 18585, 18586, 18593,
+  18594.
 
 * Cache information can be queried via sysconf() function on s390 e.g. with
   _SC_LEVEL1_ICACHE_SIZE as argument.

libio/fmemopen.c

@@ -124,7 +124,7 @@ fmemopen_write (void *cookie, const char *b, size_t s)
 
   if (c->pos + s + addnullc > c->size)
     {
-      if ((size_t) (c->pos + addnullc) == c->size)
+      if ((size_t) (c->pos + addnullc) >= c->size)
 	{
 	  __set_errno (ENOSPC);
 	  return 0;

libio/test-fmemopen.c

@@ -21,21 +21,30 @@ static char buffer[] = "foobar";
 
 #include <stdio.h>
 #include <string.h>
+#include <errno.h>
 
 static int
 do_test (void)
 {
   int ch;
   FILE *stream;
+  int ret = 0;
 
-  stream = fmemopen (buffer, strlen (buffer), "r");
+  stream = fmemopen (buffer, strlen (buffer), "r+");
 
   while ((ch = fgetc (stream)) != EOF)
     printf ("Got %c\n", ch);
 
+  fputc ('1', stream);
+  if (fflush (stream) != EOF || errno != ENOSPC)
+    {
+      printf ("fflush didn't fail with ENOSPC\n");
+      ret = 1;
+    }
+
   fclose (stream);
 
-  return 0;
+  return ret;
 }
 
 #define TEST_FUNCTION do_test ()