glibc/libio/iowpadn.c
Eric Biggers 3d110c7c6e Fix fwrite() reading beyond end of buffer in error path
Partially revert commits 2b766585f9b4ffabeef2f36200c275976b93f2c7 and
de2fd463b1c0310d75084b6d774fb974075a4ad9, which were intended to fix BZ#11741
but caused another, likely worse bug, namely that fwrite() and fputs() could,
in an error path, read data beyond the end of the specified buffer, and
potentially even write this data to the file.

Fix BZ#11741 properly by checking the return value from _IO_padn() in
stdio-common/vfprintf.c.
2013-10-11 22:29:38 +05:30

78 lines
2.2 KiB
C

/* Copyright (C) 1993-2013 Free Software Foundation, Inc.
This file is part of the GNU C Library.
The GNU C Library is free software; you can redistribute it and/or
modify it under the terms of the GNU Lesser General Public
License as published by the Free Software Foundation; either
version 2.1 of the License, or (at your option) any later version.
The GNU C Library is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
Lesser General Public License for more details.
You should have received a copy of the GNU Lesser General Public
License along with the GNU C Library; if not, see
<http://www.gnu.org/licenses/>.
As a special exception, if you link the code in this file with
files compiled with a GNU compiler to produce an executable,
that does not cause the resulting executable to be covered by
the GNU Lesser General Public License. This exception does not
however invalidate any other reasons why the executable file
might be covered by the GNU Lesser General Public License.
This exception applies to code released by its copyright holders
in files containing the exception. */
#include "libioP.h"
#define PADSIZE 16
static wchar_t const blanks[PADSIZE] =
{
L' ', L' ', L' ', L' ', L' ', L' ', L' ', L' ',
L' ', L' ', L' ', L' ', L' ', L' ', L' ', L' '
};
static wchar_t const zeroes[PADSIZE] =
{
L'0', L'0', L'0', L'0', L'0', L'0', L'0', L'0',
L'0', L'0', L'0', L'0', L'0', L'0', L'0', L'0'
};
_IO_ssize_t
_IO_wpadn (fp, pad, count)
_IO_FILE *fp;
wint_t pad;
_IO_ssize_t count;
{
wchar_t padbuf[PADSIZE];
const wchar_t *padptr;
int i;
_IO_size_t written = 0;
_IO_size_t w;
if (pad == L' ')
padptr = blanks;
else if (pad == L'0')
padptr = zeroes;
else
{
for (i = PADSIZE; --i >= 0; )
padbuf[i] = pad;
padptr = padbuf;
}
for (i = count; i >= PADSIZE; i -= PADSIZE)
{
w = _IO_sputn (fp, (char *) padptr, PADSIZE);
written += w;
if (w != PADSIZE)
return written;
}
if (i > 0)
{
w = _IO_sputn (fp, (char *) padptr, i);
written += w;
}
return written;
}