[glibc] Correct buffer end pointer in IO_wdefault_doallocate (BZ #26874)

[glibc] Correct buffer end pointer in IO_wdefault_doallocate (BZ #26874)

[Siddhesh Poyarekar]

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=764e9a0334350f52ab6953bef1db97f9b2e89ca5

commit 764e9a0334350f52ab6953bef1db97f9b2e89ca5
Author: Martin Sebor <msebor@gmail.com>
Date:   Mon Mar 1 10:35:39 2021 +0530

    Correct buffer end pointer in IO_wdefault_doallocate (BZ #26874)
    
    An experimental build of GCC 11 with an enhanced -Warray-bounds
    reports a bug in IO_wdefault_doallocate where the function forms
    an invalid past-the-end pointer to an allocated wchar_t buffer
    by failingf to consider the scaling by sizeof (wchar_t).
    
    The fix path below corrects this problem.  It keeps the buffer
    size the same as opposed to increasing it according to what other
    code like it does.
    
    Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>

Diff:
---
 libio/wgenops.c | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/libio/wgenops.c b/libio/wgenops.c
index 3ae6995fa0..106ddfd278 100644
--- a/libio/wgenops.c
+++ b/libio/wgenops.c
@@ -379,12 +379,11 @@ libc_hidden_def (_IO_wdoallocbuf)
 int
 _IO_wdefault_doallocate (FILE *fp)
 {
-  wchar_t *buf;
-
-  buf = malloc (BUFSIZ);
+  wchar_t *buf = (wchar_t *)malloc (BUFSIZ);
   if (__glibc_unlikely (buf == NULL))
     return EOF;
-  _IO_wsetb (fp, buf, buf + BUFSIZ, 1);
+
+  _IO_wsetb (fp, buf, buf + BUFSIZ / sizeof *buf, 1);
   return 1;
 }
 libc_hidden_def (_IO_wdefault_doallocate)