lib/glibc
1
0
Fork 0
mirror of https://sourceware.org/git/glibc.git synced 2025-07-29 11:41:21 +03:00
Code Activity

Fix fwrite() reading beyond end of buffer in error path

Browse Source 
Partially revert commits 2b766585f9 and
de2fd463b1, which were intended to fix BZ#11741
but caused another, likely worse bug, namely that fwrite() and fputs() could,
in an error path, read data beyond the end of the specified buffer, and
potentially even write this data to the file.

Fix BZ#11741 properly by checking the return value from _IO_padn() in
stdio-common/vfprintf.c.
This commit is contained in:
Eric Biggers
2013-10-11 22:29:38 +05:30
committed by Siddhesh Poyarekar
parent 75b4202ab0
commit 3d110c7c6e
8 changed files with 50 additions and 36 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
libio/iofwrite.c
View File

@ -42,12 +42,12 @@ _IO_fwrite (buf, size, count, fp)
if (_IO_vtable_offset (fp) != 0 || _IO_fwide (fp, -1) == -1)
written = _IO_sputn (fp, (const char *) buf, request);
_IO_release_lock (fp);
/* We are guaranteed to have written all of the input, none of it, or
some of it. */
if (written == request)
/* We have written all of the input in case the return value indicates
this or EOF is returned. The latter is a special case where we
simply did not manage to flush the buffer. But the data is in the
buffer and therefore written as far as fwrite is concerned. */
if (written == request || written == EOF)
return count;
else if (written == EOF)
return 0;
else
return written / size;
}