libio: Check remaining buffer size in _IO_wdo_write (bug 31183)

The multibyte character needs to fit into the remaining buffer space,
not the already-written buffer space.  Without the fix, we were never
moving the write pointer from the start of the buffer, always using
the single-character fallback buffer.

Fixes commit 04b76b5aa8b2d1d19066e42dd1 ("Don't error out writing
a multibyte character to an unbuffered stream (bug 17522)").

(cherry picked from commit ecc7c3deb9f347649c2078fcc0f94d4cedf92d60)

diff --git a/NEWS b/NEWS
index 3e7d07155747f3e8dedf0dda3d75c1ad5dc3462a..c0d999337225ef1fe61f32d54e753de5da1fc580 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -55,6 +55,7 @@ The following bugs are resolved with this release:
   [30745] Slight bug in cache info codes for x86
   [30842] Stack read overflow in getaddrinfo in no-aaaa mode (CVE-2023-4527)
   [30843] potential use-after-free in getcanonname (CVE-2023-4806)
+  [31183] Wide stream buffer size reduced MB_LEN_MAX bytes after bug 17522 fix
   [31184] FAIL: elf/tst-tlsgap
   [31185] Incorrect thread point access in _dl_tlsdesc_undefweak and _dl_tlsdesc_dynamic
 \f

diff --git a/libio/wfileops.c b/libio/wfileops.c
index cecea21c1c0e08aed3ddaefdfc2c6d2d30d3d683..e81924529e28578962566fa4492a9c8e9f2c2295 100644 (file)
--- a/libio/wfileops.c
+++ b/libio/wfileops.c
@@ -55,7 +55,7 @@ _IO_wdo_write (FILE *fp, const wchar_t *data, size_t to_do)
          char mb_buf[MB_LEN_MAX];
          char *write_base, *write_ptr, *buf_end;
 
-         if (fp->_IO_write_ptr - fp->_IO_write_base < sizeof (mb_buf))
+         if (fp->_IO_buf_end - fp->_IO_write_ptr < sizeof (mb_buf))
            {
              /* Make sure we have room for at least one multibyte
                 character.  */