From patchwork Thu Jun 25 12:23:29 2015
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Andreas Schwab <schwab@suse.de>
X-Patchwork-Id: 7348
Received: (qmail 46759 invoked by alias); 25 Jun 2015 12:23:34 -0000
Mailing-List: contact libc-alpha-help@sourceware.org; run by ezmlm
Precedence: bulk
List-Id: <libc-alpha.sourceware.org>
List-Unsubscribe: <mailto:libc-alpha-unsubscribe-##L=##H@sourceware.org>
List-Subscribe: <mailto:libc-alpha-subscribe@sourceware.org>
List-Archive: <http://sourceware.org/ml/libc-alpha/>
List-Post: <mailto:libc-alpha@sourceware.org>
List-Help: <mailto:libc-alpha-help@sourceware.org>,
	<http://sourceware.org/ml/#faqs>
Sender: libc-alpha-owner@sourceware.org
Delivered-To: mailing list libc-alpha@sourceware.org
Received: (qmail 46720 invoked by uid 89); 25 Jun 2015 12:23:33 -0000
Authentication-Results: sourceware.org; auth=none
X-Virus-Found: No
X-Spam-SWARE-Status: No, score=-3.0 required=5.0 tests=AWL, BAYES_00,
	KAM_LAZY_DOMAIN_SECURITY,
	RP_MATCHES_RCVD autolearn=ham version=3.3.2
X-HELO: mx2.suse.de
From: Andreas Schwab <schwab@suse.de>
To: libc-alpha@sourceware.org
Subject: [PATCH] Fix buffer overflow for writes to memory buffer stream (bug
	18549)
X-Yow: How do you explain Wayne Newton's POWER over millions?
	It's th' MOUSTACHE...  Have you ever noticed th' way it radiates
	SINCERITY, HONESTY & WARMTH?  It's a MOUSTACHE you want to take
	HOME and introduce to NANCY SINATRA!
Date: Thu, 25 Jun 2015 14:23:29 +0200
Message-ID: <mvmoak4yo1q.fsf@hawking.suse.de>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.5 (gnu/linux)
MIME-Version: 1.0

Tested on x86_64-suse-linux.

Andreas.

	[BZ #18549]
	* libio/fmemopen.c (fmemopen_write): Fix bounds check for ENOSPC.
	* libio/test-fmemopen.c (do_test): Add test for it.
---
 libio/fmemopen.c      |  2 +-
 libio/test-fmemopen.c | 13 +++++++++++--
 2 files changed, 12 insertions(+), 3 deletions(-)

diff --git a/libio/fmemopen.c b/libio/fmemopen.c
index 6c50fba..06e5ab8 100644
--- a/libio/fmemopen.c
+++ b/libio/fmemopen.c
@@ -124,7 +124,7 @@ fmemopen_write (void *cookie, const char *b, size_t s)
 
   if (c->pos + s + addnullc > c->size)
     {
-      if ((size_t) (c->pos + addnullc) == c->size)
+      if ((size_t) (c->pos + addnullc) >= c->size)
 	{
 	  __set_errno (ENOSPC);
 	  return 0;
diff --git a/libio/test-fmemopen.c b/libio/test-fmemopen.c
index cddf0cf..63ca89f 100644
--- a/libio/test-fmemopen.c
+++ b/libio/test-fmemopen.c
@@ -21,21 +21,30 @@ static char buffer[] = "foobar";
 
 #include <stdio.h>
 #include <string.h>
+#include <errno.h>
 
 static int
 do_test (void)
 {
   int ch;
   FILE *stream;
+  int ret = 0;
 
-  stream = fmemopen (buffer, strlen (buffer), "r");
+  stream = fmemopen (buffer, strlen (buffer), "r+");
 
   while ((ch = fgetc (stream)) != EOF)
     printf ("Got %c\n", ch);
 
+  fputc ('1', stream);
+  if (fflush (stream) != EOF || errno != ENOSPC)
+    {
+      printf ("fflush didn't fail with ENOSPC\n");
+      ret = 1;
+    }
+
   fclose (stream);
 
-  return 0;
+  return ret;
 }
 
 #define TEST_FUNCTION do_test ()