diff options
| author | Timo Teräs <timo.teras@iki.fi> | 2016-05-18 10:51:38 +0300 |
|---|---|---|
| committer | Timo Teräs <timo.teras@iki.fi> | 2016-05-18 10:52:05 +0300 |
| commit | e73a05a575531e0afb22a95787fdd587d0c435e7 (patch) | |
| tree | 2d094bc52eb0bb20ad3ae5f36c20984fdb26915d /main/musl/0011-fix-FILE-buffer-underflow-in-ungetwc.patch | |
| parent | 18e963840b7262efd7b2e971bd01b2b0fd485806 (diff) | |
| download | aports-e73a05a575531e0afb22a95787fdd587d0c435e7.tar.bz2 aports-e73a05a575531e0afb22a95787fdd587d0c435e7.tar.xz | |
main/musl: cherry-pick two additional upstream fixes
Diffstat (limited to 'main/musl/0011-fix-FILE-buffer-underflow-in-ungetwc.patch')
| -rw-r--r-- | main/musl/0011-fix-FILE-buffer-underflow-in-ungetwc.patch | 54 |
1 files changed, 54 insertions, 0 deletions
diff --git a/main/musl/0011-fix-FILE-buffer-underflow-in-ungetwc.patch b/main/musl/0011-fix-FILE-buffer-underflow-in-ungetwc.patch new file mode 100644 index 0000000000..78c716121a --- /dev/null +++ b/main/musl/0011-fix-FILE-buffer-underflow-in-ungetwc.patch @@ -0,0 +1,54 @@ +From 6ed791e768d83b40ed56c99dbb1ed72c1e49aae7 Mon Sep 17 00:00:00 2001 +From: Rich Felker <dalias@aerifal.cx> +Date: Tue, 26 Apr 2016 15:26:40 -0400 +Subject: [PATCH] fix FILE buffer underflow in ungetwc + +commit 7e816a6487932cbb3cb71d94b609e50e81f4e5bf (version 1.1.11 +release cycle) moved the code that performs wchar_t to multibyte +conversion across code that used the resulting length in bytes, +thereby breaking the unget buffer space check in ungetwc and +clobbering up to three bytes below the start of the buffer. + +for allocated FILEs (all read-enabled FILEs except stdin), the +underflow clobbers at most the FILE-specific locale pointer. no stores +are performed through this pointer, but subsequent loads may result in +a crash or mismatching encoding rule (UTF-8 multibyte vs byte-based). + +for stdin, the buffer lies in .bss and the underflow may clobber +another object. in practice, for libc.so the adjacent object seems to +be stderr's buffer, which is completely unused, but this could vary +with linking options, or when static linking. + +applications which do not attempt to use more than one character of +ungetwc pushback, or which do not use ungetwc, are not affected. +--- + src/stdio/ungetwc.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/src/stdio/ungetwc.c b/src/stdio/ungetwc.c +index 80d6e20..9edf366 100644 +--- a/src/stdio/ungetwc.c ++++ b/src/stdio/ungetwc.c +@@ -8,7 +8,7 @@ + wint_t ungetwc(wint_t c, FILE *f) + { + unsigned char mbc[MB_LEN_MAX]; +- int l=1; ++ int l; + locale_t *ploc = &CURRENT_LOCALE, loc = *ploc; + + FLOCK(f); +@@ -17,8 +17,8 @@ wint_t ungetwc(wint_t c, FILE *f) + *ploc = f->locale; + + if (!f->rpos) __toread(f); +- if (!f->rpos || f->rpos < f->buf - UNGET + l || c == WEOF || +- (!isascii(c) && (l = wctomb((void *)mbc, c)) < 0)) { ++ if (!f->rpos || c == WEOF || (l = wcrtomb((void *)mbc, c, 0)) < 0 || ++ f->rpos < f->buf - UNGET + l) { + FUNLOCK(f); + *ploc = loc; + return WEOF; +-- +2.8.2 + |