From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: by sourceware.org (Postfix, from userid 2178) id 09E283858C78; Tue, 2 Jan 2024 13:56:14 +0000 (GMT) DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 09E283858C78 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sourceware.org; s=default; t=1704203775; bh=lgAqkz294mXyQXBBsSMVIjziu1k+QzOfcR5IFBdzIaM=; h=From:To:Subject:Date:From; b=Kif/LOvxaEs/FIn3ehKj2Nh5Oi8VzxH2eHSgltZ1BzvGjPpk156tUtmMISRVXtNhb oR82p02QxFTtvXanmTUYy7okRJb8eiUds0iJIyvycEufdV+sIudrqj0bnlsn8zSRSQ +hHkwiBH46JEQFij/P9C2eVNdLa2LFXdlX6sP8l8= Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit From: Florian Weimer To: glibc-cvs@sourceware.org Subject: [glibc/release/2.38/master] libio: Check remaining buffer size in _IO_wdo_write (bug 31183) X-Act-Checkin: glibc X-Git-Author: Florian Weimer X-Git-Refname: refs/heads/release/2.38/master X-Git-Oldrev: ae1e5217021e43e1f2de443d26e87ea3adfb221c X-Git-Newrev: cfe121910013a46e2477562282c56ae8062089aa Message-Id: <20240102135615.09E283858C78@sourceware.org> Date: Tue, 2 Jan 2024 13:56:14 +0000 (GMT) List-Id: https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=cfe121910013a46e2477562282c56ae8062089aa commit cfe121910013a46e2477562282c56ae8062089aa Author: Florian Weimer Date: Tue Jan 2 14:36:17 2024 +0100 libio: Check remaining buffer size in _IO_wdo_write (bug 31183) The multibyte character needs to fit into the remaining buffer space, not the already-written buffer space. Without the fix, we were never moving the write pointer from the start of the buffer, always using the single-character fallback buffer. Fixes commit 04b76b5aa8b2d1d19066e42dd1 ("Don't error out writing a multibyte character to an unbuffered stream (bug 17522)"). (cherry picked from commit ecc7c3deb9f347649c2078fcc0f94d4cedf92d60) Diff: --- NEWS | 1 + libio/wfileops.c | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/NEWS b/NEWS index 905230b838..6768c2da6f 100644 --- a/NEWS +++ b/NEWS @@ -43,6 +43,7 @@ The following bugs are resolved with this release: -D_FILE_OFFSET_BITS=64 [30842] Stack read overflow in getaddrinfo in no-aaaa mode (CVE-2023-4527) [30843] potential use-after-free in getcanonname (CVE-2023-4806) + [31183] Wide stream buffer size reduced MB_LEN_MAX bytes after bug 17522 fix [31184] FAIL: elf/tst-tlsgap [31185] Incorrect thread point access in _dl_tlsdesc_undefweak and _dl_tlsdesc_dynamic diff --git a/libio/wfileops.c b/libio/wfileops.c index f16f6db1c3..9ab8f2e7f3 100644 --- a/libio/wfileops.c +++ b/libio/wfileops.c @@ -55,7 +55,7 @@ _IO_wdo_write (FILE *fp, const wchar_t *data, size_t to_do) char mb_buf[MB_LEN_MAX]; char *write_base, *write_ptr, *buf_end; - if (fp->_IO_write_ptr - fp->_IO_write_base < sizeof (mb_buf)) + if (fp->_IO_buf_end - fp->_IO_write_ptr < sizeof (mb_buf)) { /* Make sure we have room for at least one multibyte character. */