From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 13342 invoked by alias); 3 Mar 2011 13:08:27 -0000 Received: (qmail 13267 invoked by uid 22791); 3 Mar 2011 13:08:26 -0000 X-SWARE-Spam-Status: No, hits=-6.3 required=5.0 tests=AWL,BAYES_00,RCVD_IN_DNSWL_HI,SPF_HELO_PASS,T_FRT_CONTACT,T_RP_MATCHES_RCVD X-Spam-Check-By: sourceware.org Received: from mx1.redhat.com (HELO mx1.redhat.com) (209.132.183.28) by sourceware.org (qpsmtpd/0.43rc1) with ESMTP; Thu, 03 Mar 2011 13:08:19 +0000 Received: from int-mx10.intmail.prod.int.phx2.redhat.com (int-mx10.intmail.prod.int.phx2.redhat.com [10.5.11.23]) by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id p23D8H5a021717 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK) for ; Thu, 3 Mar 2011 08:08:17 -0500 Received: from hase (ovpn01.gateway.prod.ext.phx2.redhat.com [10.5.9.1]) by int-mx10.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id p23D8FaV008950 for ; Thu, 3 Mar 2011 08:08:16 -0500 From: Andreas Schwab To: libc-hacker@sourceware.org Subject: [PATCH] Don't read past end of buffer in fmemopen X-Yow: First, I'm going to give you all the ANSWERS to today's test.. So just plug in your SONY WALKMANS and relax!! Date: Thu, 03 Mar 2011 13:08:00 -0000 Message-ID: User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/23.2 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Mailing-List: contact libc-hacker-help@sourceware.org; run by ezmlm Precedence: bulk List-Id: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: libc-hacker-owner@sourceware.org X-SW-Source: 2011-03/txt/msg00000.txt.bz2 The buffer is not required to contain a zero byte at all. Andreas. 2011-03-03 Andreas Schwab * libio/fmemopen.c (fmemopen): Don't read past end of buffer. --- libio/fmemopen.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) diff --git a/libio/fmemopen.c b/libio/fmemopen.c index d3750fc..1a631d5 100644 --- a/libio/fmemopen.c +++ b/libio/fmemopen.c @@ -1,5 +1,5 @@ /* Fmemopen implementation. - Copyright (C) 2000, 2002, 2005, 2006, 2008, 2009 + Copyright (C) 2000, 2002, 2005, 2006, 2008, 2009, 2011 Free Software Foundation, Inc. This file is part of the GNU C Library. Contributed by Hanno Mueller, kontakt@hanno.de, 2000. @@ -243,7 +243,7 @@ fmemopen (void *buf, size_t len, const char *mode) if (mode[0] == 'w') c->buffer[0] = '\0'; - c->maxpos = strlen (c->buffer); + c->maxpos = strnlen (c->buffer, len); if (mode[0] == 'a') c->pos = c->maxpos; -- 1.7.4 -- Andreas Schwab, schwab@redhat.com GPG Key fingerprint = D4E8 DBE3 3813 BB5D FA84 5EC7 45C6 250E 6F00 984E "And now for something completely different."