145 lines
5.3 KiB
Diff
145 lines
5.3 KiB
Diff
|
From c6177be4b92d5d7df50a785652d1912db511423e Mon Sep 17 00:00:00 2001
|
||
|
From: Andreas Schwab <schwab@suse.de>
|
||
|
Date: Wed, 15 May 2019 17:09:05 +0200
|
||
|
Subject: [PATCH 19] Fix crash in _IO_wfile_sync (bug 20568)
|
||
|
|
||
|
When computing the length of the converted part of the stdio buffer, use
|
||
|
the number of consumed wide characters, not the (negative) distance to the
|
||
|
end of the wide buffer.
|
||
|
|
||
|
(cherry picked from commit 32ff397533715988c19cbf3675dcbd727ec13e18)
|
||
|
---
|
||
|
ChangeLog | 10 ++++++++++
|
||
|
NEWS | 1 +
|
||
|
libio/Makefile | 3 ++-
|
||
|
libio/tst-wfile-sync.c | 39 ++++++++++++++++++++++++++++++++++++++
|
||
|
libio/tst-wfile-sync.input | 1 +
|
||
|
libio/wfileops.c | 5 +++--
|
||
|
6 files changed, 56 insertions(+), 3 deletions(-)
|
||
|
create mode 100644 libio/tst-wfile-sync.c
|
||
|
create mode 100644 libio/tst-wfile-sync.input
|
||
|
|
||
|
diff --git a/ChangeLog b/ChangeLog
|
||
|
index 5af8e27ab9..d3fcf73e47 100644
|
||
|
--- a/ChangeLog
|
||
|
+++ b/ChangeLog
|
||
|
@@ -1,3 +1,13 @@
|
||
|
+2019-05-15 Andreas Schwab <schwab@suse.de>
|
||
|
+
|
||
|
+ [BZ #20568]
|
||
|
+ * libio/wfileops.c (_IO_wfile_sync): Correct last argument to
|
||
|
+ __codecvt_do_length.
|
||
|
+ * libio/Makefile (tests): Add tst-wfile-sync.
|
||
|
+ ($(objpfx)tst-wfile-sync.out): Depend on $(gen-locales).
|
||
|
+ * libio/tst-wfile-sync.c: New file.
|
||
|
+ * libio/tst-wfile-sync.input: New file.
|
||
|
+
|
||
|
2019-04-23 Adhemerval Zanella <adhemerval.zanella@linaro.org>
|
||
|
|
||
|
[BZ #18035]
|
||
|
diff --git a/NEWS b/NEWS
|
||
|
index b39a0ccf91..c10ab5e851 100644
|
||
|
--- a/NEWS
|
||
|
+++ b/NEWS
|
||
|
@@ -15,6 +15,7 @@ The following bugs are resolved with this release:
|
||
|
|
||
|
[16573] malloc: Set and reset all hooks for tracing
|
||
|
[18035] Fix pldd hang
|
||
|
+ [20568] Fix crash in _IO_wfile_sync
|
||
|
[24155] x32 memcmp can treat positive length as 0 (if sign bit in RDX is set) (CVE-2019-7309)
|
||
|
[24164] Systemtap probes need to use "nr" constraint on 32-bit Arm
|
||
|
[24161] __run_fork_handlers self-deadlocks in malloc/tst-mallocfork2
|
||
|
diff --git a/libio/Makefile b/libio/Makefile
|
||
|
index 5bee83e55c..ee3a34cc3b 100644
|
||
|
--- a/libio/Makefile
|
||
|
+++ b/libio/Makefile
|
||
|
@@ -65,7 +65,7 @@ tests = tst_swprintf tst_wprintf tst_swscanf tst_wscanf tst_getwc tst_putwc \
|
||
|
tst-setvbuf1 tst-popen1 tst-fgetwc bug-wsetpos tst-fseek \
|
||
|
tst-fwrite-error tst-ftell-partial-wide tst-ftell-active-handler \
|
||
|
tst-ftell-append tst-fputws tst-bz22415 tst-fgetc-after-eof \
|
||
|
- tst-sprintf-ub tst-sprintf-chk-ub
|
||
|
+ tst-sprintf-ub tst-sprintf-chk-ub tst-wfile-sync
|
||
|
|
||
|
tests-internal = tst-vtables tst-vtables-interposed tst-readline
|
||
|
|
||
|
@@ -212,6 +212,7 @@ $(objpfx)tst-ungetwc1.out: $(gen-locales)
|
||
|
$(objpfx)tst-ungetwc2.out: $(gen-locales)
|
||
|
$(objpfx)tst-widetext.out: $(gen-locales)
|
||
|
$(objpfx)tst_wprintf2.out: $(gen-locales)
|
||
|
+$(objpfx)tst-wfile-sync.out: $(gen-locales)
|
||
|
endif
|
||
|
|
||
|
$(objpfx)test-freopen.out: test-freopen.sh $(objpfx)test-freopen
|
||
|
diff --git a/libio/tst-wfile-sync.c b/libio/tst-wfile-sync.c
|
||
|
new file mode 100644
|
||
|
index 0000000000..618682064d
|
||
|
--- /dev/null
|
||
|
+++ b/libio/tst-wfile-sync.c
|
||
|
@@ -0,0 +1,39 @@
|
||
|
+/* Test that _IO_wfile_sync does not crash (bug 20568).
|
||
|
+ Copyright (C) 2019 Free Software Foundation, Inc.
|
||
|
+ This file is part of the GNU C Library.
|
||
|
+
|
||
|
+ The GNU C Library is free software; you can redistribute it and/or
|
||
|
+ modify it under the terms of the GNU Lesser General Public
|
||
|
+ License as published by the Free Software Foundation; either
|
||
|
+ version 2.1 of the License, or (at your option) any later version.
|
||
|
+
|
||
|
+ The GNU C Library is distributed in the hope that it will be useful,
|
||
|
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||
|
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
||
|
+ Lesser General Public License for more details.
|
||
|
+
|
||
|
+ You should have received a copy of the GNU Lesser General Public
|
||
|
+ License along with the GNU C Library; if not, see
|
||
|
+ <http://www.gnu.org/licenses/>. */
|
||
|
+
|
||
|
+#include <locale.h>
|
||
|
+#include <stdio.h>
|
||
|
+#include <wchar.h>
|
||
|
+#include <support/check.h>
|
||
|
+#include <support/xunistd.h>
|
||
|
+
|
||
|
+static int
|
||
|
+do_test (void)
|
||
|
+{
|
||
|
+ TEST_VERIFY_EXIT (setlocale (LC_ALL, "de_DE.UTF-8") != NULL);
|
||
|
+ /* Fill the stdio buffer and advance the read pointer. */
|
||
|
+ TEST_VERIFY_EXIT (fgetwc (stdin) != WEOF);
|
||
|
+ /* This calls _IO_wfile_sync, it should not crash. */
|
||
|
+ TEST_VERIFY_EXIT (setvbuf (stdin, NULL, _IONBF, 0) == 0);
|
||
|
+ /* Verify that the external file offset has been synchronized. */
|
||
|
+ TEST_COMPARE (xlseek (0, 0, SEEK_CUR), 1);
|
||
|
+
|
||
|
+ return 0;
|
||
|
+}
|
||
|
+
|
||
|
+#include <support/test-driver.c>
|
||
|
diff --git a/libio/tst-wfile-sync.input b/libio/tst-wfile-sync.input
|
||
|
new file mode 100644
|
||
|
index 0000000000..12d0958f7a
|
||
|
--- /dev/null
|
||
|
+++ b/libio/tst-wfile-sync.input
|
||
|
@@ -0,0 +1 @@
|
||
|
+This is a test of _IO_wfile_sync.
|
||
|
diff --git a/libio/wfileops.c b/libio/wfileops.c
|
||
|
index 78f20486e5..bab2ba4892 100644
|
||
|
--- a/libio/wfileops.c
|
||
|
+++ b/libio/wfileops.c
|
||
|
@@ -508,11 +508,12 @@ _IO_wfile_sync (FILE *fp)
|
||
|
generate the wide characters up to the current reading
|
||
|
position. */
|
||
|
int nread;
|
||
|
-
|
||
|
+ size_t wnread = (fp->_wide_data->_IO_read_ptr
|
||
|
+ - fp->_wide_data->_IO_read_base);
|
||
|
fp->_wide_data->_IO_state = fp->_wide_data->_IO_last_state;
|
||
|
nread = (*cv->__codecvt_do_length) (cv, &fp->_wide_data->_IO_state,
|
||
|
fp->_IO_read_base,
|
||
|
- fp->_IO_read_end, delta);
|
||
|
+ fp->_IO_read_end, wnread);
|
||
|
fp->_IO_read_ptr = fp->_IO_read_base + nread;
|
||
|
delta = -(fp->_IO_read_end - fp->_IO_read_base - nread);
|
||
|
}
|
||
|
|