Fix invalid pointer dereference in wcscpy_chk

The src pointer is const and points to a different object, so accessing dest via src is invalid. Reviewed-by: Florian Weimer <fweimer@redhat.com>
2025-07-29 11:41:21 +03:00 · 2022-06-21 14:43:30 +01:00
parent 09c6c6073c
commit e5ece9de14
1 changed files with 7 additions and 27 deletions
--- a/debug/wcscpy_chk.c
+++ b/debug/wcscpy_chk.c
@ -24,36 +24,16 @@ wchar_t *
 __wcscpy_chk (wchar_t *dest, const wchar_t *src, size_t n)
 {
  wint_t c;
-  wchar_t *wcp;
+  wchar_t *wcp = dest;
-  if (__alignof__ (wchar_t) >= sizeof (wchar_t))
+  do
    {
-      const ptrdiff_t off = dest - src - 1;
+      if (__glibc_unlikely (n-- == 0))
-
+        __chk_fail ();
-      wcp = (wchar_t *) src;
+      c = *src++;
-
+      *wcp++ = c;
      do
 	{
 	  if (__glibc_unlikely (n-- == 0))
 	    __chk_fail ();
 	  c = *wcp++;
 	  wcp[off] = c;
 	}
      while (c != L'\0');
    }
  else
    {
      wcp = dest;
      do
 	{
 	  if (__glibc_unlikely (n-- == 0))
 	    __chk_fail ();
 	  c = *src++;
 	  *wcp++ = c;
 	}
      while (c != L'\0');
    }
  while (c != L'\0');
  return dest;
 }