The _IO_wfile_overflow does not check if the write pointer for wide
data is valid before access, different than _IO_file_overflow. This
leads to crash on some cases, as described by bug 28828.
The minimal sequence to produce the crash was:
#include <stdio.h>
#include <wchar.h>
int main (int ac, char **av)
{
setvbuf (stdout, NULL, _IOLBF, 0);
fgetwc (stdin);
fputwc (10, stdout); /*CRASH HERE!*/
return 0;
}
The "fgetwc(stdin);" is necessary since it triggers the bug by setting
the flag _IO_CURRENTLY_PUTTING on stdout indirectly (file wfileops.c,
function _IO_wfile_underflow, line 213).
Signed-off-by: Jose Bollo <jobol@nonadev.net>
