Patchwork [1/2] libio: Multiple fixes for open_{w}memstram (BZ#18241 and BZ#20181)

login
register
mail settings
Submitter Adhemerval Zanella Netto
Date Aug. 5, 2016, 5:40 p.m.
Message ID <1470418850-22175-1-git-send-email-adhemerval.zanella@linaro.org>
Download mbox | patch
Permalink /patch/14341/
State New
Headers show

Comments

Adhemerval Zanella Netto - Aug. 5, 2016, 5:40 p.m.
This patches fixes multiples issues on open_{w}memstream reported on both
BZ#18241 and BZ#20181:

  - failed fseek does not set errno.
  - negative offset in fseek fails even when resulting position is
    a valid one.
  - a flush after write if the current write position is not at the
    end of the stream currupt data.

The main fix is on seek operation for memstream (_IO_{w}str_seekoff), where
both _IO_read_ptr and _IO_read_end pointer are updated if a write operation
has occured (similar to default file operations).  Also, to calculate the
offset on both read and write pointers, a temporary value is instead of
updating the argument supplied value.  Negative offset are valid if resulting
internal pointer is within the range of _IO_{read,write}_base and
_IO_{read,write}_end.  For invalid position a different return error than
EOF is used so _IO_seekoff_unlocked can set errno accordingly.

Also POSIX states that a null or wide null shall be appended to the current
buffer iff a write moves the position to a value larger than the current
lenght.  Current implementation appends a null or wide null regardless
of this condition.  This patch fixes it by removing the 'else' condition
on _IO_{w}mem_sync.

Checked on x86_64.

	[BZ #18241]
	[BZ #20181]
	* libio/Makefile (test): Add tst-memstream3 and tst-wmemstream3.
	* libio/ioseekoff.c (_IO_seekoff_unlocked): Check if _IO_SEEKOFF
	returns an invalid position and set errno accordingly.
	* libio/libioP.h (INVALPOS): New define.
	* libio/memstream.c (_IO_mem_sync): Only append a null byte if
	write position is at the end the buffer.
	* libio/wmemstream.c (_IO_wmem_sync): Likewise.
	* libio/strops.c (_IO_str_switch_to_get_mode): New function.
	(_IO_str_seekoff): Set correct offset from negative displacement and
	return INVALPOS for invalid ones.
	* libio/wstrops.c (enlarge_userbuf): Use correct function to calculate
	buffer length.
	(_IO_wstr_switch_to_get_mode): New function.
	(_IO_wstr_seekoff): Set correct offset from negative displacement and
	return INVALPOS for invalid ones.
	* libio/tst-memstream3.c: New file.
	* libio/tst-wmemstream3.c: Likewise.
	* manual/examples/memstrm.c: Remove warning when priting size_t.
---
 ChangeLog                 |  23 +++++++
 libio/Makefile            |   4 +-
 libio/ioseekoff.c         |   8 ++-
 libio/libioP.h            |   1 +
 libio/memstream.c         |   2 -
 libio/strops.c            |  75 ++++++++++++++--------
 libio/tst-memstream3.c    | 155 ++++++++++++++++++++++++++++++++++++++++++++++
 libio/tst-wmemstream3.c   |  44 +++++++++++++
 libio/wmemstream.c        |   2 -
 libio/wstrops.c           |  79 +++++++++++++++--------
 manual/examples/memstrm.c |   4 +-
 11 files changed, 335 insertions(+), 62 deletions(-)
 create mode 100644 libio/tst-memstream3.c
 create mode 100644 libio/tst-wmemstream3.c
Andreas Schwab - Aug. 5, 2016, 8:11 p.m.
On Fr, Aug 05 2016, Adhemerval Zanella <adhemerval.zanella@linaro.org> wrote:

> For invalid position a different return error than EOF is used so
> _IO_seekoff_unlocked can set errno accordingly.

Is that needed?  Can't the functions set errno themselves?

> diff --git a/libio/tst-memstream3.c b/libio/tst-memstream3.c
> new file mode 100644
> index 0000000..ce4e60d
> --- /dev/null
> +++ b/libio/tst-memstream3.c
> @@ -0,0 +1,155 @@
> +/* Test for open_memstream implementation.
> +   Copyright (C) 2016 Free Software Foundation, Inc.
> +   This file is part of the GNU C Library.
> +
> +   The GNU C Library is free software; you can redistribute it and/or
> +   modify it under the terms of the GNU Lesser General Public
> +   License as published by the Free Software Foundation; either
> +   version 2.1 of the License, or (at your option) any later version.
> +
> +   The GNU C Library is distributed in the hope that it will be useful,
> +   but WITHOUT ANY WARRANTY; without even the implied warranty of
> +   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
> +   Lesser General Public License for more details.
> +
> +   You should have received a copy of the GNU Lesser General Public
> +   License along with the GNU C Library; if not, see
> +   <http://www.gnu.org/licenses/>.  */
> +
> +#include <mcheck.h>
> +#include <stdio.h>
> +#include <errno.h>
> +
> +
> +#ifndef CHAR_T
> +# define CHAR_T char
> +# define W(o) o
> +# define OPEN_MEMSTREAM open_memstream
> +# define PRINTF printf
> +# define FWRITE fwrite
> +# define FPUTC fputc
> +# define STRCMP strcmp
> +#endif
> +
> +#define S(s) S1 (s)
> +#define S1(s) #s
> +
> +static void
> +mcheck_abort (enum mcheck_status ev)
> +{
> +  printf ("mecheck failed with status %d\n", (int) ev);
> +  exit (1);
> +}
> +
> +#define LOC2(l) "error: " __FILE__ ":" #l
> +#define LOC1(l) LOC2(l)
> +#define ERROR_RET1(...) \
> +  { printf(LOC1(__LINE__) ": " __VA_ARGS__); return 1; }

Putting __FILE__ into the format string is unsafe, it could contain %.

> @@ -262,25 +279,29 @@ _IO_wstr_seekoff (_IO_FILE *fp, _IO_off64_t offset, int dir, int mode)
>        /* Move the get pointer, if requested. */
>        if (mode & _IOS_INPUT)
>  	{
> +	  _IO_ssize_t base;
>  	  switch (dir)
>  	    {
> -	    case _IO_seek_end:
> -	      offset += cur_size;
> +	    case _IO_seek_set:
> +	      base = 0;
>  	      break;
>  	    case _IO_seek_cur:
> -	      offset += (fp->_wide_data->_IO_read_ptr
> +	      base = (fp->_wide_data->_IO_read_ptr
>  			 - fp->_wide_data->_IO_read_base);

Reindent.

>  	      break;
> -	    default: /* case _IO_seek_set: */
> +	    default: /* case _IO_seek_end: */
> +	      base = cur_size;
>  	      break;
>  	    }
> -	  if (offset < 0)
> -	    return EOF;
> -	  if ((_IO_ssize_t) offset > cur_size
> -	      && enlarge_userbuf (fp, offset, 1) != 0)
> +	  _IO_ssize_t maxval = SSIZE_MAX/sizeof(wchar_t) - base;

Space around operator.

> @@ -289,26 +310,30 @@ _IO_wstr_seekoff (_IO_FILE *fp, _IO_off64_t offset, int dir, int mode)
>        /* Move the put pointer, if requested. */
>        if (mode & _IOS_OUTPUT)
>  	{
> +	  _IO_ssize_t base;
>  	  switch (dir)
>  	    {
> -	    case _IO_seek_end:
> -	      offset += cur_size;
> +	    case _IO_seek_set:
> +	      base = 0;
>  	      break;
>  	    case _IO_seek_cur:
> -	      offset += (fp->_wide_data->_IO_write_ptr
> +	      base = (fp->_wide_data->_IO_write_ptr
>  			 - fp->_wide_data->_IO_write_base);

Reindent.

>  	      break;
> -	    default: /* case _IO_seek_set: */
> +	    default: /* case _IO_seek_end: */
> +	      base = cur_size;
>  	      break;
>  	    }
> -	  if (offset < 0)
> -	    return EOF;
> -	  if ((_IO_ssize_t) offset > cur_size
> -	      && enlarge_userbuf (fp, offset, 0) != 0)
> +	  _IO_ssize_t maxval = SSIZE_MAX/sizeof(wchar_t) - base;

Space around operator.

Andreas.
Adhemerval Zanella Netto - Aug. 5, 2016, 8:59 p.m.
On 05/08/2016 17:11, Andreas Schwab wrote:
> On Fr, Aug 05 2016, Adhemerval Zanella <adhemerval.zanella@linaro.org> wrote:
> 
>> For invalid position a different return error than EOF is used so
>> _IO_seekoff_unlocked can set errno accordingly.
> 
> Is that needed?  Can't the functions set errno themselves?

I don't have a strong preference here, I just noted that other strops.c function
do not touched errno and I though to be safer to set on _IO_seekoff function.
But I noted that fileops.c does set errno, so I thunk we can do it here as
well.

> 
>> diff --git a/libio/tst-memstream3.c b/libio/tst-memstream3.c
>> new file mode 100644
>> index 0000000..ce4e60d
>> --- /dev/null
>> +++ b/libio/tst-memstream3.c
>> @@ -0,0 +1,155 @@
>> +/* Test for open_memstream implementation.
>> +   Copyright (C) 2016 Free Software Foundation, Inc.
>> +   This file is part of the GNU C Library.
>> +
>> +   The GNU C Library is free software; you can redistribute it and/or
>> +   modify it under the terms of the GNU Lesser General Public
>> +   License as published by the Free Software Foundation; either
>> +   version 2.1 of the License, or (at your option) any later version.
>> +
>> +   The GNU C Library is distributed in the hope that it will be useful,
>> +   but WITHOUT ANY WARRANTY; without even the implied warranty of
>> +   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
>> +   Lesser General Public License for more details.
>> +
>> +   You should have received a copy of the GNU Lesser General Public
>> +   License along with the GNU C Library; if not, see
>> +   <http://www.gnu.org/licenses/>.  */
>> +
>> +#include <mcheck.h>
>> +#include <stdio.h>
>> +#include <errno.h>
>> +
>> +
>> +#ifndef CHAR_T
>> +# define CHAR_T char
>> +# define W(o) o
>> +# define OPEN_MEMSTREAM open_memstream
>> +# define PRINTF printf
>> +# define FWRITE fwrite
>> +# define FPUTC fputc
>> +# define STRCMP strcmp
>> +#endif
>> +
>> +#define S(s) S1 (s)
>> +#define S1(s) #s
>> +
>> +static void
>> +mcheck_abort (enum mcheck_status ev)
>> +{
>> +  printf ("mecheck failed with status %d\n", (int) ev);
>> +  exit (1);
>> +}
>> +
>> +#define LOC2(l) "error: " __FILE__ ":" #l
>> +#define LOC1(l) LOC2(l)
>> +#define ERROR_RET1(...) \
>> +  { printf(LOC1(__LINE__) ": " __VA_ARGS__); return 1; }
> 
> Putting __FILE__ into the format string is unsafe, it could contain %.
> 
>> @@ -262,25 +279,29 @@ _IO_wstr_seekoff (_IO_FILE *fp, _IO_off64_t offset, int dir, int mode)
>>        /* Move the get pointer, if requested. */
>>        if (mode & _IOS_INPUT)
>>  	{
>> +	  _IO_ssize_t base;
>>  	  switch (dir)
>>  	    {
>> -	    case _IO_seek_end:
>> -	      offset += cur_size;
>> +	    case _IO_seek_set:
>> +	      base = 0;
>>  	      break;
>>  	    case _IO_seek_cur:
>> -	      offset += (fp->_wide_data->_IO_read_ptr
>> +	      base = (fp->_wide_data->_IO_read_ptr
>>  			 - fp->_wide_data->_IO_read_base);
> 
> Reindent.

Ack.

> 
>>  	      break;
>> -	    default: /* case _IO_seek_set: */
>> +	    default: /* case _IO_seek_end: */
>> +	      base = cur_size;
>>  	      break;
>>  	    }
>> -	  if (offset < 0)
>> -	    return EOF;
>> -	  if ((_IO_ssize_t) offset > cur_size
>> -	      && enlarge_userbuf (fp, offset, 1) != 0)
>> +	  _IO_ssize_t maxval = SSIZE_MAX/sizeof(wchar_t) - base;
> 
> Space around operator.

Ack.

> 
>> @@ -289,26 +310,30 @@ _IO_wstr_seekoff (_IO_FILE *fp, _IO_off64_t offset, int dir, int mode)
>>        /* Move the put pointer, if requested. */
>>        if (mode & _IOS_OUTPUT)
>>  	{
>> +	  _IO_ssize_t base;
>>  	  switch (dir)
>>  	    {
>> -	    case _IO_seek_end:
>> -	      offset += cur_size;
>> +	    case _IO_seek_set:
>> +	      base = 0;
>>  	      break;
>>  	    case _IO_seek_cur:
>> -	      offset += (fp->_wide_data->_IO_write_ptr
>> +	      base = (fp->_wide_data->_IO_write_ptr
>>  			 - fp->_wide_data->_IO_write_base);
> 
> Reindent.
> 

Ack.

>>  	      break;
>> -	    default: /* case _IO_seek_set: */
>> +	    default: /* case _IO_seek_end: */
>> +	      base = cur_size;
>>  	      break;
>>  	    }
>> -	  if (offset < 0)
>> -	    return EOF;
>> -	  if ((_IO_ssize_t) offset > cur_size
>> -	      && enlarge_userbuf (fp, offset, 0) != 0)
>> +	  _IO_ssize_t maxval = SSIZE_MAX/sizeof(wchar_t) - base;
> 
> Space around operator.
>

Ack.
 
> Andreas.
>

Patch

diff --git a/libio/Makefile b/libio/Makefile
index 12589f2..0c7751c 100644
--- a/libio/Makefile
+++ b/libio/Makefile
@@ -56,8 +56,8 @@  tests = tst_swprintf tst_wprintf tst_swscanf tst_wscanf tst_getwc tst_putwc   \
 	tst-mmap-eofsync tst-mmap-fflushsync bug-mmap-fflush \
 	tst-mmap2-eofsync tst-mmap-offend bug-fopena+ bug-wfflush \
 	bug-ungetc2 bug-ftell bug-ungetc3 bug-ungetc4 tst-fopenloc2 \
-	tst-memstream1 tst-memstream2 \
-	tst-wmemstream1 tst-wmemstream2 \
+	tst-memstream1 tst-memstream2 tst-memstream3 \
+	tst-wmemstream1 tst-wmemstream2 tst-wmemstream3 \
 	bug-memstream1 bug-wmemstream1 \
 	tst-setvbuf1 tst-popen1 tst-fgetwc bug-wsetpos tst-fseek \
 	tst-fwrite-error tst-ftell-partial-wide tst-ftell-active-handler \
diff --git a/libio/ioseekoff.c b/libio/ioseekoff.c
index 05d90bb..aff63bc 100644
--- a/libio/ioseekoff.c
+++ b/libio/ioseekoff.c
@@ -62,7 +62,13 @@  _IO_seekoff_unlocked (_IO_FILE *fp, _IO_off64_t offset, int dir, int mode)
 	_IO_free_wbackup_area (fp);
     }
 
-  return _IO_SEEKOFF (fp, offset, dir, mode);
+  _IO_off64_t result = _IO_SEEKOFF (fp, offset, dir, mode);
+  if (result == INVALPOS)
+    {
+      __set_errno (EINVAL);
+      return EOF;
+    }
+  return result;
 }
 
 
diff --git a/libio/libioP.h b/libio/libioP.h
index 3e12876..e12109b 100644
--- a/libio/libioP.h
+++ b/libio/libioP.h
@@ -717,6 +717,7 @@  extern _IO_off64_t _IO_seekpos_unlocked (_IO_FILE *, _IO_off64_t, int)
 #ifndef EOF
 # define EOF (-1)
 #endif
+#define INVALPOS (-2)
 #ifndef NULL
 # if defined __GNUG__ && \
     (__GNUC__ > 2 || (__GNUC__ == 2 && __GNUC_MINOR__ >= 8))
diff --git a/libio/memstream.c b/libio/memstream.c
index e20b9c2..f1e8d58 100644
--- a/libio/memstream.c
+++ b/libio/memstream.c
@@ -112,8 +112,6 @@  _IO_mem_sync (_IO_FILE *fp)
       _IO_str_overflow (fp, '\0');
       --fp->_IO_write_ptr;
     }
-  else
-    *fp->_IO_write_ptr = '\0';
 
   *mp->bufloc = fp->_IO_write_base;
   *mp->sizeloc = fp->_IO_write_ptr - fp->_IO_write_base;
diff --git a/libio/strops.c b/libio/strops.c
index 2ba3704..a50ad1b 100644
--- a/libio/strops.c
+++ b/libio/strops.c
@@ -230,6 +230,21 @@  enlarge_userbuf (_IO_FILE *fp, _IO_off64_t offset, int reading)
   return 0;
 }
 
+static void
+_IO_str_switch_to_get_mode (_IO_FILE *fp)
+{
+  if (_IO_in_backup (fp))
+    fp->_IO_read_base = fp->_IO_backup_base;
+  else
+    {
+      fp->_IO_read_base = fp->_IO_buf_base;
+      if (fp->_IO_write_ptr > fp->_IO_read_end)
+        fp->_IO_read_end = fp->_IO_write_ptr;
+    }
+  fp->_IO_read_ptr = fp->_IO_read_end = fp->_IO_write_ptr;
+
+  fp->_flags &= ~_IO_CURRENTLY_PUTTING;
+}
 
 _IO_off64_t
 _IO_str_seekoff (_IO_FILE *fp, _IO_off64_t offset, int dir, int mode)
@@ -239,14 +254,14 @@  _IO_str_seekoff (_IO_FILE *fp, _IO_off64_t offset, int dir, int mode)
   if (mode == 0 && (fp->_flags & _IO_TIED_PUT_GET))
     mode = (fp->_flags & _IO_CURRENTLY_PUTTING ? _IOS_OUTPUT : _IOS_INPUT);
 
+  bool was_writing = (fp->_IO_write_ptr > fp->_IO_write_base
+		     || _IO_in_put_mode (fp));
+  if (was_writing)
+    _IO_str_switch_to_get_mode (fp);
+
   if (mode == 0)
     {
-      /* Don't move any pointers. But there is no clear indication what
-	 mode FP is in. Let's guess. */
-      if (fp->_IO_file_flags & _IO_NO_WRITES)
-        new_pos = fp->_IO_read_ptr - fp->_IO_read_base;
-      else
-        new_pos = fp->_IO_write_ptr - fp->_IO_write_base;
+      new_pos = fp->_IO_read_ptr - fp->_IO_read_base;
     }
   else
     {
@@ -256,48 +271,56 @@  _IO_str_seekoff (_IO_FILE *fp, _IO_off64_t offset, int dir, int mode)
       /* Move the get pointer, if requested. */
       if (mode & _IOS_INPUT)
 	{
+	  _IO_ssize_t base;
 	  switch (dir)
 	    {
-	    case _IO_seek_end:
-	      offset += cur_size;
+	    case _IO_seek_set:
+	      base = 0;
 	      break;
 	    case _IO_seek_cur:
-	      offset += fp->_IO_read_ptr - fp->_IO_read_base;
+	      base = fp->_IO_read_ptr - fp->_IO_read_base;
 	      break;
-	    default: /* case _IO_seek_set: */
+	    default: /* case _IO_seek_end: */
+	      base = cur_size;
 	      break;
 	    }
-	  if (offset < 0)
+	  _IO_ssize_t maxval = SSIZE_MAX - base;
+	  if (offset < -base || offset > maxval)
+	    return INVALPOS;
+	  base += offset;
+	  if (base > cur_size
+	      && enlarge_userbuf (fp, base, 1) != 0)
 	    return EOF;
-	  if ((_IO_ssize_t) offset > cur_size
-	      && enlarge_userbuf (fp, offset, 1) != 0)
-	    return EOF;
-	  fp->_IO_read_ptr = fp->_IO_read_base + offset;
+	  fp->_IO_read_ptr = fp->_IO_read_base + base;
 	  fp->_IO_read_end = fp->_IO_read_base + cur_size;
-	  new_pos = offset;
+	  new_pos = base;
 	}
 
       /* Move the put pointer, if requested. */
       if (mode & _IOS_OUTPUT)
 	{
+	  _IO_ssize_t base;
 	  switch (dir)
 	    {
-	    case _IO_seek_end:
-	      offset += cur_size;
+	    case _IO_seek_set:
+	      base = 0;
 	      break;
 	    case _IO_seek_cur:
-	      offset += fp->_IO_write_ptr - fp->_IO_write_base;
+	      base = fp->_IO_write_ptr - fp->_IO_write_base;
 	      break;
-	    default: /* case _IO_seek_set: */
+	    default: /* case _IO_seek_end: */
+	      base = cur_size;
 	      break;
 	    }
-	  if (offset < 0)
-	    return EOF;
-	  if ((_IO_ssize_t) offset > cur_size
-	      && enlarge_userbuf (fp, offset, 0) != 0)
+	  _IO_ssize_t maxval = SSIZE_MAX - base;
+	  if (offset < -base || offset > maxval)
+	    return INVALPOS;
+	  base += offset;
+	  if (base > cur_size
+	      && enlarge_userbuf (fp, base, 0) != 0)
 	    return EOF;
-	  fp->_IO_write_ptr = fp->_IO_write_base + offset;
-	  new_pos = offset;
+	  fp->_IO_write_ptr = fp->_IO_write_base + base;
+	  new_pos = base;
 	}
     }
   return new_pos;
diff --git a/libio/tst-memstream3.c b/libio/tst-memstream3.c
new file mode 100644
index 0000000..ce4e60d
--- /dev/null
+++ b/libio/tst-memstream3.c
@@ -0,0 +1,155 @@ 
+/* Test for open_memstream implementation.
+   Copyright (C) 2016 Free Software Foundation, Inc.
+   This file is part of the GNU C Library.
+
+   The GNU C Library is free software; you can redistribute it and/or
+   modify it under the terms of the GNU Lesser General Public
+   License as published by the Free Software Foundation; either
+   version 2.1 of the License, or (at your option) any later version.
+
+   The GNU C Library is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+   Lesser General Public License for more details.
+
+   You should have received a copy of the GNU Lesser General Public
+   License along with the GNU C Library; if not, see
+   <http://www.gnu.org/licenses/>.  */
+
+#include <mcheck.h>
+#include <stdio.h>
+#include <errno.h>
+
+
+#ifndef CHAR_T
+# define CHAR_T char
+# define W(o) o
+# define OPEN_MEMSTREAM open_memstream
+# define PRINTF printf
+# define FWRITE fwrite
+# define FPUTC fputc
+# define STRCMP strcmp
+#endif
+
+#define S(s) S1 (s)
+#define S1(s) #s
+
+static void
+mcheck_abort (enum mcheck_status ev)
+{
+  printf ("mecheck failed with status %d\n", (int) ev);
+  exit (1);
+}
+
+#define LOC2(l) "error: " __FILE__ ":" #l
+#define LOC1(l) LOC2(l)
+#define ERROR_RET1(...) \
+  { printf(LOC1(__LINE__) ": " __VA_ARGS__); return 1; }
+
+static int
+do_test_bz18241 (void)
+{
+  CHAR_T *buf;
+  size_t size;
+
+  FILE *fp = OPEN_MEMSTREAM (&buf, &size);
+  if (fp == NULL)
+    ERROR_RET1 ("%s failed\n", S(OPEN_MEMSTREAM));
+
+  if (FPUTC (W('a'), fp) != W('a'))
+    ERROR_RET1 ("%s failed (errno = %d)\n", S(FPUTC), errno);
+  if (fflush (fp) != 0)
+    ERROR_RET1 ("fflush failed (errno = %d)\n", errno);
+  if (fseek (fp, -2, SEEK_SET) != -1)
+    ERROR_RET1 ("fseek failed (errno = %d)\n", errno);
+  if (errno != EINVAL)
+    ERROR_RET1 ("errno != EINVAL\n");
+  if (ftell (fp) != 1)
+    ERROR_RET1 ("ftell failed (errno = %d)\n", errno);
+  if (ferror (fp) != 0)
+    ERROR_RET1 ("ferror != 0\n");
+
+  if (fseek (fp, -1, SEEK_CUR) == -1)
+    ERROR_RET1 ("fseek failed (errno = %d)\n", errno);
+  if (ftell (fp) != 0)
+    ERROR_RET1 ("ftell failed (errno = %d)\n", errno);
+  if (ferror (fp) != 0)
+    ERROR_RET1 ("ferror != 0\n");
+  if (FPUTC (W('b'), fp) != W('b'))
+    ERROR_RET1 ("%s failed (errno = %d)\n", S(FPUTC), errno);
+  if (fflush (fp) != 0)
+    ERROR_RET1 ("fflush failed (errno = %d)\n", errno);
+
+  if (fclose (fp) != 0)
+    ERROR_RET1 ("fclose failed (errno = %d\n", errno);
+
+  if (STRCMP (buf, W("b")) != 0)
+    ERROR_RET1 ("%s failed\n", S(STRCMP));
+
+  free (buf);
+
+  return 0;
+}
+
+static int
+do_test_bz20181 (void)
+{
+  CHAR_T *buf;
+  size_t size;
+  size_t ret;
+
+  FILE *fp = OPEN_MEMSTREAM (&buf, &size);
+  if (fp == NULL)
+    ERROR_RET1 ("%s failed\n", S(OPEN_MEMSTREAM));
+
+  if ((ret = FWRITE (W("abc"), 1, 3, fp)) != 3)
+    ERROR_RET1 ("%s failed (errno = %d)\n", S(FWRITE), errno);
+
+  if (fseek (fp, 0, SEEK_SET) != 0)
+    ERROR_RET1 ("fseek failed (errno = %d)\n", errno);
+
+  if (FWRITE (W("z"), 1, 1, fp) != 1)
+    ERROR_RET1 ("%s failed (errno = %d)\n", S(FWRITE), errno);
+
+  if (fflush (fp) != 0)
+    ERROR_RET1 ("fflush failed (errno = %d)\n", errno);
+
+  /* Avoid truncating the buffer on close.  */
+  if (fseek (fp, 3, SEEK_SET) != 0)
+    ERROR_RET1 ("fseek failed (errno = %d)\n", errno);
+
+  if (fclose (fp) != 0)
+    ERROR_RET1 ("fclose failed (errno = %d\n", errno);
+
+  if (size != 3)
+    ERROR_RET1 ("size != 3\n");
+
+  if (buf[0] != W('z')
+      || buf[1] != W('b')
+      || buf[2] != W('c'))
+    {
+      PRINTF (W("error: buf {%c,%c,%c} != {z,b,c}\n"),
+	      buf[0], buf[1], buf[2]);
+      return 1;
+    }
+    
+  free (buf);
+
+  return 0;
+}
+
+static int
+do_test (void)
+{
+  int ret = 0;
+
+  mcheck_pedantic (mcheck_abort);
+
+  ret += do_test_bz18241 ();
+  ret += do_test_bz20181 ();
+
+  return ret;
+}
+
+#define TEST_FUNCTION do_test ()
+#include "../test-skeleton.c"
diff --git a/libio/tst-wmemstream3.c b/libio/tst-wmemstream3.c
new file mode 100644
index 0000000..190283a
--- /dev/null
+++ b/libio/tst-wmemstream3.c
@@ -0,0 +1,44 @@ 
+/* Test for open_memstream implementation.
+   Copyright (C) 2016 Free Software Foundation, Inc.
+   This file is part of the GNU C Library.
+
+   The GNU C Library is free software; you can redistribute it and/or
+   modify it under the terms of the GNU Lesser General Public
+   License as published by the Free Software Foundation; either
+   version 2.1 of the License, or (at your option) any later version.
+
+   The GNU C Library is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+   Lesser General Public License for more details.
+
+   You should have received a copy of the GNU Lesser General Public
+   License along with the GNU C Library; if not, see
+   <http://www.gnu.org/licenses/>.  */
+
+#include <wchar.h>
+
+/* Straighforward implementation so tst-memstream3 could use check
+   fwrite on open_memstream.  */
+static size_t
+fwwrite (const void *ptr, size_t size, size_t nmemb, FILE *arq)
+{
+  const wchar_t *wcs = (const wchar_t*) (ptr);
+  for (size_t s = 0; s < size; s++)
+    {
+      for (size_t n = 0; n < nmemb; n++)
+        if (fputwc (wcs[n], arq) == WEOF)
+          return n; 
+    }
+  return size * nmemb; 
+}
+
+#define CHAR_T wchar_t
+#define W(o) L##o
+#define OPEN_MEMSTREAM open_wmemstream
+#define PRINTF wprintf
+#define FWRITE fwwrite
+#define FPUTC  fputwc
+#define STRCMP wcscmp
+
+#include "tst-memstream3.c"
diff --git a/libio/wmemstream.c b/libio/wmemstream.c
index bf2a50b..fd01be0 100644
--- a/libio/wmemstream.c
+++ b/libio/wmemstream.c
@@ -112,8 +112,6 @@  _IO_wmem_sync (_IO_FILE *fp)
       _IO_wstr_overflow (fp, '\0');
       --fp->_wide_data->_IO_write_ptr;
     }
-  else
-    *fp->_wide_data->_IO_write_ptr = '\0';
 
   *mp->bufloc = fp->_wide_data->_IO_write_base;
   *mp->sizeloc = (fp->_wide_data->_IO_write_ptr
diff --git a/libio/wstrops.c b/libio/wstrops.c
index 09fa543..58b7a22 100644
--- a/libio/wstrops.c
+++ b/libio/wstrops.c
@@ -169,7 +169,7 @@  _IO_wstr_count (_IO_FILE *fp)
 static int
 enlarge_userbuf (_IO_FILE *fp, _IO_off64_t offset, int reading)
 {
-  if ((_IO_ssize_t) offset <= _IO_blen (fp))
+  if ((_IO_ssize_t) offset <= _IO_wblen (fp))
     return 0;
 
   struct _IO_wide_data *wd = fp->_wide_data;
@@ -235,6 +235,22 @@  enlarge_userbuf (_IO_FILE *fp, _IO_off64_t offset, int reading)
   return 0;
 }
 
+static void
+_IO_wstr_switch_to_get_mode (_IO_FILE *fp)
+{
+  if (_IO_in_backup (fp))
+    fp->_wide_data->_IO_read_base = fp->_wide_data->_IO_backup_base;
+  else
+    {
+      fp->_wide_data->_IO_read_base = fp->_wide_data->_IO_buf_base;
+      if (fp->_wide_data->_IO_write_ptr > fp->_wide_data->_IO_read_end)
+        fp->_wide_data->_IO_read_end = fp->_wide_data->_IO_write_ptr;
+    }
+  fp->_wide_data->_IO_read_ptr = fp->_wide_data->_IO_write_ptr;
+  fp->_wide_data->_IO_read_end = fp->_wide_data->_IO_write_ptr;
+
+  fp->_flags &= ~_IO_CURRENTLY_PUTTING;
+}
 
 _IO_off64_t
 _IO_wstr_seekoff (_IO_FILE *fp, _IO_off64_t offset, int dir, int mode)
@@ -244,15 +260,16 @@  _IO_wstr_seekoff (_IO_FILE *fp, _IO_off64_t offset, int dir, int mode)
   if (mode == 0 && (fp->_flags & _IO_TIED_PUT_GET))
     mode = (fp->_flags & _IO_CURRENTLY_PUTTING ? _IOS_OUTPUT : _IOS_INPUT);
 
+  bool was_writing = (fp->_wide_data->_IO_write_ptr >
+			fp->_wide_data->_IO_write_base
+		     || _IO_in_put_mode (fp));
+  if (was_writing)
+    _IO_wstr_switch_to_get_mode (fp);
+
   if (mode == 0)
     {
-      /* Don't move any pointers. But there is no clear indication what
-	 mode FP is in. Let's guess. */
-      if (fp->_IO_file_flags & _IO_NO_WRITES)
-        new_pos = fp->_wide_data->_IO_read_ptr - fp->_wide_data->_IO_read_base;
-      else
-        new_pos = (fp->_wide_data->_IO_write_ptr
-		   - fp->_wide_data->_IO_write_base);
+      new_pos = (fp->_wide_data->_IO_write_ptr
+		 - fp->_wide_data->_IO_write_base);
     }
   else
     {
@@ -262,25 +279,29 @@  _IO_wstr_seekoff (_IO_FILE *fp, _IO_off64_t offset, int dir, int mode)
       /* Move the get pointer, if requested. */
       if (mode & _IOS_INPUT)
 	{
+	  _IO_ssize_t base;
 	  switch (dir)
 	    {
-	    case _IO_seek_end:
-	      offset += cur_size;
+	    case _IO_seek_set:
+	      base = 0;
 	      break;
 	    case _IO_seek_cur:
-	      offset += (fp->_wide_data->_IO_read_ptr
+	      base = (fp->_wide_data->_IO_read_ptr
 			 - fp->_wide_data->_IO_read_base);
 	      break;
-	    default: /* case _IO_seek_set: */
+	    default: /* case _IO_seek_end: */
+	      base = cur_size;
 	      break;
 	    }
-	  if (offset < 0)
-	    return EOF;
-	  if ((_IO_ssize_t) offset > cur_size
-	      && enlarge_userbuf (fp, offset, 1) != 0)
+	  _IO_ssize_t maxval = SSIZE_MAX/sizeof(wchar_t) - base;
+	  if (offset < -base || offset > maxval)
+	    return INVALPOS;
+	  base += offset;
+	  if (base > cur_size
+	      && enlarge_userbuf (fp, base, 1) != 0)
 	    return EOF;
 	  fp->_wide_data->_IO_read_ptr = (fp->_wide_data->_IO_read_base
-					  + offset);
+					  + base);
 	  fp->_wide_data->_IO_read_end = (fp->_wide_data->_IO_read_base
 					  + cur_size);
 	  new_pos = offset;
@@ -289,26 +310,30 @@  _IO_wstr_seekoff (_IO_FILE *fp, _IO_off64_t offset, int dir, int mode)
       /* Move the put pointer, if requested. */
       if (mode & _IOS_OUTPUT)
 	{
+	  _IO_ssize_t base;
 	  switch (dir)
 	    {
-	    case _IO_seek_end:
-	      offset += cur_size;
+	    case _IO_seek_set:
+	      base = 0;
 	      break;
 	    case _IO_seek_cur:
-	      offset += (fp->_wide_data->_IO_write_ptr
+	      base = (fp->_wide_data->_IO_write_ptr
 			 - fp->_wide_data->_IO_write_base);
 	      break;
-	    default: /* case _IO_seek_set: */
+	    default: /* case _IO_seek_end: */
+	      base = cur_size;
 	      break;
 	    }
-	  if (offset < 0)
-	    return EOF;
-	  if ((_IO_ssize_t) offset > cur_size
-	      && enlarge_userbuf (fp, offset, 0) != 0)
+	  _IO_ssize_t maxval = SSIZE_MAX/sizeof(wchar_t) - base;
+	  if (offset < -base || offset > maxval)
+	    return INVALPOS;
+	  base += offset;
+	  if (base > cur_size
+	      && enlarge_userbuf (fp, base, 0) != 0)
 	    return EOF;
 	  fp->_wide_data->_IO_write_ptr = (fp->_wide_data->_IO_write_base
-					   + offset);
-	  new_pos = offset;
+					   + base);
+	  new_pos = base;
 	}
     }
   return new_pos;
diff --git a/manual/examples/memstrm.c b/manual/examples/memstrm.c
index 0d443b1..5701ba1 100644
--- a/manual/examples/memstrm.c
+++ b/manual/examples/memstrm.c
@@ -27,10 +27,10 @@  main (void)
   stream = open_memstream (&bp, &size);
   fprintf (stream, "hello");
   fflush (stream);
-  printf ("buf = `%s', size = %d\n", bp, size);
+  printf ("buf = `%s', size = %zu\n", bp, size);
   fprintf (stream, ", world");
   fclose (stream);
-  printf ("buf = `%s', size = %d\n", bp, size);
+  printf ("buf = `%s', size = %zu\n", bp, size);
 
   return 0;
 }