diff mbox series

correct buffer end pointer in IO_wdefault_doallocate (BZ #26874)

Message ID 92cfb8c8-4fe9-8793-f378-a2c593de7493@gmail.com
State New
Headers show
Series correct buffer end pointer in IO_wdefault_doallocate (BZ #26874) | expand

Commit Message

Martin Sebor Jan. 1, 2021, 10:34 p.m. UTC
An experimental build of GCC 11 with an enhanced -Warray-bounds
reports a bug in IO_wdefault_doallocate where the function forms
an invalid past-the-end pointer to an allocated wchar_t buffer
by failingf to consider the scaling by sizeof (wchar_t).

The fix path below corrects this problem.  It keeps the buffer
size the same as opposed to increasing it according to what other
code like it does.

Since the bug looks like it might be exploitable I tried to create
a test case to trigger a call to _IO_wdefault_doallocate but couldn't.
No test in the test suite seems to either, so I post this patch without

diff mbox series


diff --git a/libio/wgenops.c b/libio/wgenops.c
index 0a242d93ca..153b1da8dc 100644
--- a/libio/wgenops.c
+++ b/libio/wgenops.c
@@ -379,12 +379,11 @@  libc_hidden_def (_IO_wdoallocbuf)
  _IO_wdefault_doallocate (FILE *fp)
-  wchar_t *buf;
-  buf = malloc (BUFSIZ);
+  wchar_t *buf = (wchar_t *)malloc (BUFSIZ);
    if (__glibc_unlikely (buf == NULL))
      return EOF;
-  _IO_wsetb (fp, buf, buf + BUFSIZ, 1);
+  _IO_wsetb (fp, buf, buf + BUFSIZ / sizeof *buf, 1);
    return 1;
  libc_hidden_def (_IO_wdefault_doallocate)