public inbox for glibc-bugs@sourceware.org help / color / mirror / Atom feed
From: "siddhesh at sourceware dot org" <sourceware-bugzilla@sourceware.org> To: glibc-bugs@sourceware.org Subject: [Bug build/26874] -Warray-bounds in _IO_wdefault_doallocate Date: Mon, 01 Mar 2021 14:11:10 +0000 [thread overview] Message-ID: <bug-26874-131-IDoyBizJPl@http.sourceware.org/bugzilla/> (raw) In-Reply-To: <bug-26874-131@http.sourceware.org/bugzilla/> https://sourceware.org/bugzilla/show_bug.cgi?id=26874 Siddhesh Poyarekar <siddhesh at sourceware dot org> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |siddhesh at sourceware dot org Flags| |security- Resolution|--- |FIXED Status|UNCONFIRMED |RESOLVED Target Milestone|--- |2.34 --- Comment #2 from Siddhesh Poyarekar <siddhesh at sourceware dot org> --- Fixed in main: https://sourceware.org/git/?p=glibc.git;a=commit;h=764e9a0334350f52ab6953bef1db97f9b2e89ca5 commit 764e9a0334350f52ab6953bef1db97f9b2e89ca5 (HEAD -> master, origin/master, origin/HEAD) Author: Martin Sebor <msebor@gmail.com> Date: Mon Mar 1 10:35:39 2021 +0530 Correct buffer end pointer in IO_wdefault_doallocate (BZ #26874) An experimental build of GCC 11 with an enhanced -Warray-bounds reports a bug in IO_wdefault_doallocate where the function forms an invalid past-the-end pointer to an allocated wchar_t buffer by failingf to consider the scaling by sizeof (wchar_t). The fix path below corrects this problem. It keeps the buffer size the same as opposed to increasing it according to what other code like it does. Marking this security- with the following rationale I posted on list: I spent some time following those vtable setups and I don't think _IO_wdefault_doallocate gets called at all. The only instances it is set as the doallocate callback are in strops, wmemstream and in vswprintf. In all those cases, the backing buffer is either user supplied or is sized without using doallocate (as in the case of strops overflow). The only time libio needs to allocate buffers in the wide context is in wfileops when it's actually using the underlying buffer. In that case however, the doallocate callback is different. -- You are receiving this mail because: You are on the CC list for the bug.
prev parent reply other threads:[~2021-03-01 14:11 UTC|newest] Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top 2020-11-13 2:42 [Bug build/26874] New: " msebor at gmail dot com 2021-01-01 22:35 ` [Bug build/26874] " msebor at gmail dot com 2021-03-01 14:11 ` siddhesh at sourceware dot org [this message]
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=bug-26874-131-IDoyBizJPl@http.sourceware.org/bugzilla/ \ --to=sourceware-bugzilla@sourceware.org \ --cc=glibc-bugs@sourceware.org \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).