libio: Ensure output buffer for wchars (bug #28828)

The _IO_wfile_overflow does not check if the write pointer for wide data is valid before access, different than _IO_file_overflow. This leads to crash on some cases, as described by bug 28828. The minimal sequence to produce the crash was: #include <stdio.h> #include <wchar.h> int main (int ac, char **av) { setvbuf (stdout, NULL, _IOLBF, 0); fgetwc (stdin); fputwc (10, stdout); /*CRASH HERE!*/ return 0; } The "fgetwc(stdin);" is necessary since it triggers the bug by setting the flag _IO_CURRENTLY_PUTTING on stdout indirectly (file wfileops.c, function _IO_wfile_underflow, line 213). Signed-off-by: Jose Bollo <jobol@nonadev.net>
2025-08-08 17:42:12 +03:00 · 2022-03-08 09:58:16 +01:00
parent 2da6e43916
commit edc696a73a
4 changed files with 36 additions and 2 deletions
--- a/libio/wfileops.c
+++ b/libio/wfileops.c
@@ -412,7 +412,8 @@ _IO_wfile_overflow (FILE *f, wint_t wch)
      return WEOF;
    }
  /* If currently reading or no buffer allocated. */
-  if ((f->_flags & _IO_CURRENTLY_PUTTING) == 0)
+  if ((f->_flags & _IO_CURRENTLY_PUTTING) == 0
+      || f->_wide_data->_IO_write_base == NULL)
    {
      /* Allocate a buffer if needed. */
      if (f->_wide_data->_IO_write_base == 0)