Fix buffer overflow for writes to memory buffer stream (bug 18549)

diff --git a/ChangeLog b/ChangeLog
index 7fe8b821960dc39668002e869c23c1e1a02315f0..76b303e4ec3c9d9269cfda97c84f1266e9530f34 100644 (file)
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,9 @@
+2015-06-25  Andreas Schwab  <schwab@suse.de>
+
+       [BZ #18549]
+       * libio/fmemopen.c (fmemopen_write): Fix bounds check for ENOSPC.
+       * libio/test-fmemopen.c (do_test): Add test for it.
+
 2015-06-25  H.J. Lu  <hongjiu.lu@intel.com>
 
        [BZ #17841]

diff --git a/NEWS b/NEWS
index 58f85e79bb804d353c298a6446027fa93ad4514a..35a077e2556cdb08287e0f6445afac6f47dbc4a3 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -24,7 +24,8 @@ Version 2.22
   18434, 18444, 18468, 18469, 18470, 18479, 18483, 18495, 18496, 18497,
   18498, 18507, 18512, 18513, 18519, 18520, 18522, 18527, 18528, 18529,
   18530, 18532, 18533, 18534, 18536, 18539, 18540, 18542, 18544, 18545,
-  18546, 18547, 18553, 18558, 18569, 18583, 18585, 18586, 18593, 18594.
+  18546, 18547, 18549, 18553, 18558, 18569, 18583, 18585, 18586, 18593,
+  18594.
 
 * Cache information can be queried via sysconf() function on s390 e.g. with
   _SC_LEVEL1_ICACHE_SIZE as argument.

diff --git a/libio/fmemopen.c b/libio/fmemopen.c
index 6c50fba22130ab4970842b43223c878fbe387d96..06e5ab80025640ee42770119b566e005cdfe3835 100644 (file)
--- a/libio/fmemopen.c
+++ b/libio/fmemopen.c
@@ -124,7 +124,7 @@ fmemopen_write (void *cookie, const char *b, size_t s)
 
   if (c->pos + s + addnullc > c->size)
     {
-      if ((size_t) (c->pos + addnullc) == c->size)
+      if ((size_t) (c->pos + addnullc) >= c->size)
        {
          __set_errno (ENOSPC);
          return 0;

diff --git a/libio/test-fmemopen.c b/libio/test-fmemopen.c
index cddf0cf5e1efc787306782fbab339cec4c4f4db2..63ca89f300091b92448587eddcb89b04d86a0e03 100644 (file)
--- a/libio/test-fmemopen.c
+++ b/libio/test-fmemopen.c
@@ -21,21 +21,30 @@ static char buffer[] = "foobar";
 
 #include <stdio.h>
 #include <string.h>
+#include <errno.h>
 
 static int
 do_test (void)
 {
   int ch;
   FILE *stream;
+  int ret = 0;
 
-  stream = fmemopen (buffer, strlen (buffer), "r");
+  stream = fmemopen (buffer, strlen (buffer), "r+");
 
   while ((ch = fgetc (stream)) != EOF)
     printf ("Got %c\n", ch);
 
+  fputc ('1', stream);
+  if (fflush (stream) != EOF || errno != ENOSPC)
+    {
+      printf ("fflush didn't fail with ENOSPC\n");
+      ret = 1;
+    }
+
   fclose (stream);
 
-  return 0;
+  return ret;
 }
 
 #define TEST_FUNCTION do_test ()