From: Martin Sebor <msebor@gmail.com>
Date: Mon, 1 Mar 2021 05:05:39 +0000 (+0530)
Subject: Correct buffer end pointer in IO_wdefault_doallocate (BZ #26874)
X-Git-Tag: glibc-2.34~907
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=764e9a0334350f52ab6953bef1db97f9b2e89ca5;p=thirdparty%2Fglibc.git

Correct buffer end pointer in IO_wdefault_doallocate (BZ #26874)

An experimental build of GCC 11 with an enhanced -Warray-bounds
reports a bug in IO_wdefault_doallocate where the function forms
an invalid past-the-end pointer to an allocated wchar_t buffer
by failingf to consider the scaling by sizeof (wchar_t).

The fix path below corrects this problem.  It keeps the buffer
size the same as opposed to increasing it according to what other
code like it does.

Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
---

diff --git a/libio/wgenops.c b/libio/wgenops.c
index 3ae6995fa0b..106ddfd2781 100644
--- a/libio/wgenops.c
+++ b/libio/wgenops.c
@@ -379,12 +379,11 @@ libc_hidden_def (_IO_wdoallocbuf)
 int
 _IO_wdefault_doallocate (FILE *fp)
 {
-  wchar_t *buf;
-
-  buf = malloc (BUFSIZ);
+  wchar_t *buf = (wchar_t *)malloc (BUFSIZ);
   if (__glibc_unlikely (buf == NULL))
     return EOF;
-  _IO_wsetb (fp, buf, buf + BUFSIZ, 1);
+
+  _IO_wsetb (fp, buf, buf + BUFSIZ / sizeof *buf, 1);
   return 1;
 }
 libc_hidden_def (_IO_wdefault_doallocate)