From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <libc-stable-return-943-listarch-libc-stable=sourceware.org@sourceware.org>
Received: (qmail 105451 invoked by alias); 16 May 2019 08:49:26 -0000
Mailing-List: contact libc-stable-help@sourceware.org; run by ezmlm
Precedence: bulk
List-Post: <mailto:libc-stable@sourceware.org>
List-Help: <mailto:libc-stable-help@sourceware.org>
List-Subscribe: <mailto:libc-stable-subscribe@sourceware.org>
List-Archive: <http://sourceware.org/ml/libc-stable/>
Sender: libc-stable-owner@sourceware.org
Received: (qmail 105438 invoked by uid 89); 16 May 2019 08:49:26 -0000
Authentication-Results: sourceware.org; auth=none
X-Virus-Checked: by ClamAV 0.100.3 on sourceware.org
X-Virus-Found: No
X-Spam-SWARE-Status: No, score=-19.0 required=5.0 tests=AWL,BAYES_00,GIT_PATCH_0,GIT_PATCH_1,GIT_PATCH_2,GIT_PATCH_3,KAM_SHORT,SPF_HELO_PASS autolearn=ham version=3.3.1 spammy=
X-Spam-Status: No, score=-19.0 required=5.0 tests=AWL,BAYES_00,GIT_PATCH_0,GIT_PATCH_1,GIT_PATCH_2,GIT_PATCH_3,KAM_SHORT,SPF_HELO_PASS autolearn=ham version=3.3.1
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on sourceware.org
X-Spam-Level:
X-HELO: mx1.redhat.com
Received: from mx1.redhat.com (HELO mx1.redhat.com) (209.132.183.28) by sourceware.org (qpsmtpd/0.93/v0.84-503-g423c35a) with ESMTP; Thu, 16 May 2019 08:49:24 +0000
Received: from smtp.corp.redhat.com (int-mx08.intmail.prod.int.phx2.redhat.com [10.5.11.23])	(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))	(No client certificate requested)	by mx1.redhat.com (Postfix) with ESMTPS id 432BF59464	for <libc-stable@sourceware.org>; Thu, 16 May 2019 08:49:23 +0000 (UTC)
Received: from oldenburg2.str.redhat.com (ovpn-116-81.ams2.redhat.com [10.36.116.81])	by smtp.corp.redhat.com (Postfix) with ESMTPS id CB0FF19936	for <libc-stable@sourceware.org>; Thu, 16 May 2019 08:49:22 +0000 (UTC)
Received: by oldenburg2.str.redhat.com (Postfix, from userid 1000)	id B978B83FCF2F; Thu, 16 May 2019 10:49:20 +0200 (CEST)
Date: Tue, 01 Jan 2019 00:00:00 -0000
To: libc-stable@sourceware.org
Subject: [2.26 COMMITTED] Fix crash in _IO_wfile_sync (bug 20568)
User-Agent: Heirloom mailx 12.5 7/5/10
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-Id: <20190516084920.B978B83FCF2F@oldenburg2.str.redhat.com>
From: Florian Weimer <fweimer@redhat.com>
X-Scanned-By: MIMEDefang 2.84 on 10.5.11.23
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.39]); Thu, 16 May 2019 08:49:23 +0000 (UTC)
X-IsSubscribed: yes
X-SW-Source: 2019-05/txt/msg00008.txt.bz2

From: Andreas Schwab <schwab@suse.de>

When computing the length of the converted part of the stdio buffer, use
the number of consumed wide characters, not the (negative) distance to the
end of the wide buffer.

(cherry picked from commit 32ff397533715988c19cbf3675dcbd727ec13e18)

2019-05-15  Andreas Schwab  <schwab@suse.de>

	[BZ #20568]
	* libio/wfileops.c (_IO_wfile_sync): Correct last argument to
	__codecvt_do_length.
	* libio/Makefile (tests): Add tst-wfile-sync.
	($(objpfx)tst-wfile-sync.out): Depend on $(gen-locales).
	* libio/tst-wfile-sync.c: New file.
	* libio/tst-wfile-sync.input: New file.

diff --git a/NEWS b/NEWS
index 735c578726..c6c44a3914 100644
--- a/NEWS
+++ b/NEWS
@@ -107,6 +107,7 @@ The following bugs are resolved with this release:
   [17956] crypt: Use NSPR header files in addition to NSS header files
   [20419] elf: Fix stack overflow with huge PT_NOTE segment
   [20532] getaddrinfo: More robust handling of dlopen failures
+  [20568] Fix crash in _IO_wfile_sync
   [21242] assert: Suppress pedantic warning caused by statement expression
   [21265] x86-64: Use fxsave/xsave/xsavec in _dl_runtime_resolve
   [21269] i386 sigaction sa_restorer handling is wrong
diff --git a/libio/Makefile b/libio/Makefile
index 74bf5279f1..79158f3ebd 100644
--- a/libio/Makefile
+++ b/libio/Makefile
@@ -62,7 +62,7 @@ tests = tst_swprintf tst_wprintf tst_swscanf tst_wscanf tst_getwc tst_putwc   \
 	bug-memstream1 bug-wmemstream1 \
 	tst-setvbuf1 tst-popen1 tst-fgetwc bug-wsetpos tst-fseek \
 	tst-fwrite-error tst-ftell-partial-wide tst-ftell-active-handler \
-	tst-ftell-append tst-fputws
+	tst-ftell-append tst-fputws tst-wfile-sync
 
 tests-internal = tst-vtables tst-vtables-interposed
 
@@ -202,6 +202,7 @@ $(objpfx)tst-ungetwc1.out: $(gen-locales)
 $(objpfx)tst-ungetwc2.out: $(gen-locales)
 $(objpfx)tst-widetext.out: $(gen-locales)
 $(objpfx)tst_wprintf2.out: $(gen-locales)
+$(objpfx)tst-wfile-sync.out: $(gen-locales)
 endif
 
 $(objpfx)test-freopen.out: test-freopen.sh $(objpfx)test-freopen
diff --git a/libio/tst-wfile-sync.c b/libio/tst-wfile-sync.c
new file mode 100644
index 0000000000..618682064d
--- /dev/null
+++ b/libio/tst-wfile-sync.c
@@ -0,0 +1,39 @@
+/* Test that _IO_wfile_sync does not crash (bug 20568).
+   Copyright (C) 2019 Free Software Foundation, Inc.
+   This file is part of the GNU C Library.
+
+   The GNU C Library is free software; you can redistribute it and/or
+   modify it under the terms of the GNU Lesser General Public
+   License as published by the Free Software Foundation; either
+   version 2.1 of the License, or (at your option) any later version.
+
+   The GNU C Library is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+   Lesser General Public License for more details.
+
+   You should have received a copy of the GNU Lesser General Public
+   License along with the GNU C Library; if not, see
+   <http://www.gnu.org/licenses/>.  */
+
+#include <locale.h>
+#include <stdio.h>
+#include <wchar.h>
+#include <support/check.h>
+#include <support/xunistd.h>
+
+static int
+do_test (void)
+{
+  TEST_VERIFY_EXIT (setlocale (LC_ALL, "de_DE.UTF-8") != NULL);
+  /* Fill the stdio buffer and advance the read pointer.  */
+  TEST_VERIFY_EXIT (fgetwc (stdin) != WEOF);
+  /* This calls _IO_wfile_sync, it should not crash.  */
+  TEST_VERIFY_EXIT (setvbuf (stdin, NULL, _IONBF, 0) == 0);
+  /* Verify that the external file offset has been synchronized.  */
+  TEST_COMPARE (xlseek (0, 0, SEEK_CUR), 1);
+
+  return 0;
+}
+
+#include <support/test-driver.c>
diff --git a/libio/tst-wfile-sync.input b/libio/tst-wfile-sync.input
new file mode 100644
index 0000000000..12d0958f7a
--- /dev/null
+++ b/libio/tst-wfile-sync.input
@@ -0,0 +1 @@
+This is a test of _IO_wfile_sync.
diff --git a/libio/wfileops.c b/libio/wfileops.c
index fb94f45040..727e1b23b9 100644
--- a/libio/wfileops.c
+++ b/libio/wfileops.c
@@ -526,11 +526,12 @@ _IO_wfile_sync (_IO_FILE *fp)
 	     generate the wide characters up to the current reading
 	     position.  */
 	  int nread;
-
+	  size_t wnread = (fp->_wide_data->_IO_read_ptr
+			   - fp->_wide_data->_IO_read_base);
 	  fp->_wide_data->_IO_state = fp->_wide_data->_IO_last_state;
 	  nread = (*cv->__codecvt_do_length) (cv, &fp->_wide_data->_IO_state,
 					      fp->_IO_read_base,
-					      fp->_IO_read_end, delta);
+					      fp->_IO_read_end, wnread);
 	  fp->_IO_read_ptr = fp->_IO_read_base + nread;
 	  delta = -(fp->_IO_read_end - fp->_IO_read_base - nread);
 	}