mirror of
https://sourceware.org/git/glibc.git
synced 2024-11-21 20:40:05 +00:00
18596c5415
This fixes a buffer overflow in wide character string output, reproducing
when output fails, such as if the output fd is closed or is redirected
to a full device.
Wide character output data attempts to maintain the invariant that
`_IO_buf_base <= _IO_write_base <= _IO_write_end <= _IO_buf_end` (that is,
that the write region is a sub-region of `_IO_buf`). Prior to this commit,
this invariant is violated by the `_IO_wfile_overflow` function as so:
1. `_IO_wsetg` is called, assigning `_IO_write_base` to `_IO_buf_base`
2. `_IO_doallocbuf` is called, which jumps to `_IO_wfile_doallocate` via
the _IO_wfile_jumps vtable. This function then assigns the wide data
`_IO_buf_base` and `_IO_buf_end` to a malloc'd buffer.
Thus the invariant is violated. The fix is simply to reverse the order:
malloc the `_IO_buf` first and then assign `_IO_write_base` to it.
We also take this opportunity to defensively guard the initialization of
the number of unwritten characters via pointer arithmetic. We now check
that the buffer end is not before the buffer beginning; this matches a
similar defensive check in the narrow analogue `fileops.c`.
Add a test which fails without the fix.
Signed-off-by: Peter Ammon <corydoras@ridiculousfish.com>
Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org>
79 lines
2.2 KiB
C
79 lines
2.2 KiB
C
/* Regression test for 20632.
|
|
Copyright (C) 2024 Free Software Foundation, Inc.
|
|
Copyright The GNU Toolchain Authors.
|
|
This file is part of the GNU C Library.
|
|
|
|
The GNU C Library is free software; you can redistribute it and/or
|
|
modify it under the terms of the GNU Lesser General Public
|
|
License as published by the Free Software Foundation; either
|
|
version 2.1 of the License, or (at your option) any later version.
|
|
|
|
The GNU C Library is distributed in the hope that it will be useful,
|
|
but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
|
Lesser General Public License for more details.
|
|
|
|
You should have received a copy of the GNU Lesser General Public
|
|
License along with the GNU C Library; if not, see
|
|
<https://www.gnu.org/licenses/>. */
|
|
|
|
#include <errno.h>
|
|
#include <stdio.h>
|
|
#include <stdlib.h>
|
|
#include <support/check.h>
|
|
#include <support/xunistd.h>
|
|
#include <unistd.h>
|
|
|
|
#ifndef WIDE
|
|
# define TEST_NAME "fputs-unbuffered-full"
|
|
# define CHAR char
|
|
# define FPUTS fputs
|
|
# define TEXT "0123456789ABCDEF"
|
|
#else
|
|
# include <wchar.h>
|
|
# define TEST_NAME "fputws-unbuffered-full"
|
|
# define CHAR wchar_t
|
|
# define FPUTS fputws
|
|
# define TEXT L"0123456789ABCDEF"
|
|
#endif /* WIDE */
|
|
|
|
|
|
static int
|
|
do_test (void)
|
|
{
|
|
/* Open an unbuffered stream to /dev/full. */
|
|
FILE *fp = fopen ("/dev/full", "w");
|
|
TEST_VERIFY_EXIT (fp != NULL);
|
|
int ret = setvbuf (fp, NULL, _IONBF, 0);
|
|
TEST_VERIFY_EXIT (ret == 0);
|
|
|
|
/* Output a long string. */
|
|
const int sz = 4096;
|
|
CHAR *buff = calloc (sz+1, sizeof *buff);
|
|
for (int i=0; i < sz; i++)
|
|
buff[i] = (CHAR) 'x';
|
|
buff[sz] = (CHAR) '\0';
|
|
errno = 0;
|
|
ret = FPUTS (buff, fp);
|
|
TEST_VERIFY (ret == EOF);
|
|
TEST_VERIFY (errno == ENOSPC);
|
|
free (buff);
|
|
|
|
/* Output shorter strings. */
|
|
for (int i=0; i < 1024; i++)
|
|
{
|
|
errno = 0;
|
|
ret = FPUTS (TEXT, fp);
|
|
TEST_VERIFY (ret == EOF);
|
|
TEST_VERIFY (errno == ENOSPC);
|
|
|
|
/* Call malloc, triggering a crash if its
|
|
function pointers have been overwritten. */
|
|
void *volatile ptr = malloc (1);
|
|
free (ptr);
|
|
}
|
|
return 0;
|
|
}
|
|
|
|
#include <support/test-driver.c>
|