From: Andreas Schwab <schwab@suse.de>
Date: Thu, 25 Jun 2015 09:53:06 +0000 (+0200)
Subject: Fix buffer overflow for writes to memory buffer stream (bug 18549)
X-Git-Tag: glibc-2.22~132
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=7c2ce714d4e853aadbec13b920576fdfada520f1;p=thirdparty%2Fglibc.git

Fix buffer overflow for writes to memory buffer stream (bug 18549)
---

diff --git a/ChangeLog b/ChangeLog
index 7fe8b821960..76b303e4ec3 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,9 @@
+2015-06-25  Andreas Schwab  <schwab@suse.de>
+
+	[BZ #18549]
+	* libio/fmemopen.c (fmemopen_write): Fix bounds check for ENOSPC.
+	* libio/test-fmemopen.c (do_test): Add test for it.
+
 2015-06-25  H.J. Lu  <hongjiu.lu@intel.com>
 
 	[BZ #17841]
diff --git a/NEWS b/NEWS
index 58f85e79bb8..35a077e2556 100644
--- a/NEWS
+++ b/NEWS
@@ -24,7 +24,8 @@ Version 2.22
   18434, 18444, 18468, 18469, 18470, 18479, 18483, 18495, 18496, 18497,
   18498, 18507, 18512, 18513, 18519, 18520, 18522, 18527, 18528, 18529,
   18530, 18532, 18533, 18534, 18536, 18539, 18540, 18542, 18544, 18545,
-  18546, 18547, 18553, 18558, 18569, 18583, 18585, 18586, 18593, 18594.
+  18546, 18547, 18549, 18553, 18558, 18569, 18583, 18585, 18586, 18593,
+  18594.
 
 * Cache information can be queried via sysconf() function on s390 e.g. with
   _SC_LEVEL1_ICACHE_SIZE as argument.
diff --git a/libio/fmemopen.c b/libio/fmemopen.c
index 6c50fba2213..06e5ab80025 100644
--- a/libio/fmemopen.c
+++ b/libio/fmemopen.c
@@ -124,7 +124,7 @@ fmemopen_write (void *cookie, const char *b, size_t s)
 
   if (c->pos + s + addnullc > c->size)
     {
-      if ((size_t) (c->pos + addnullc) == c->size)
+      if ((size_t) (c->pos + addnullc) >= c->size)
 	{
 	  __set_errno (ENOSPC);
 	  return 0;
diff --git a/libio/test-fmemopen.c b/libio/test-fmemopen.c
index cddf0cf5e1e..63ca89f3000 100644
--- a/libio/test-fmemopen.c
+++ b/libio/test-fmemopen.c
@@ -21,21 +21,30 @@ static char buffer[] = "foobar";
 
 #include <stdio.h>
 #include <string.h>
+#include <errno.h>
 
 static int
 do_test (void)
 {
   int ch;
   FILE *stream;
+  int ret = 0;
 
-  stream = fmemopen (buffer, strlen (buffer), "r");
+  stream = fmemopen (buffer, strlen (buffer), "r+");
 
   while ((ch = fgetc (stream)) != EOF)
     printf ("Got %c\n", ch);
 
+  fputc ('1', stream);
+  if (fflush (stream) != EOF || errno != ENOSPC)
+    {
+      printf ("fflush didn't fail with ENOSPC\n");
+      ret = 1;
+    }
+
   fclose (stream);
 
-  return 0;
+  return ret;
 }
 
 #define TEST_FUNCTION do_test ()