On 'do_ftell_test' the code:
365 if (test_modes[i].fd_mode != O_WRONLY)
366 {
367 char tmpbuf[data_len];
368
369 rewind (fp);
370
371 while (fgets_func (tmpbuf, sizeof (tmpbuf), fp) && !feof (fp));
The 'data_len' is calculated with wsclen and allocated as 'char'. The
subsequent fgetws will then try to write at most 'data_len' wchar_t
in a buffer with just data_len 'char'. This patch fixes it by
allocating the tmpbuf using 'wchar_t' * data_len bytes.
+2014-12-05 Adhemerval Zanella <azanella@linux.vnet.ibm.com>
+
+ * libio/tst-ftell-active-handler.c (do_ftell_test): Fix buffer overrun
+ for wide-character tests.
+
2014-12-04 Roland McGrath <roland@hack.frob.com>
* io/openat64.c: #include <libc-internal.h>
2014-12-04 Roland McGrath <roland@hack.frob.com>
* io/openat64.c: #include <libc-internal.h>
static const wchar_t *wide_data = L"abcdef";
static size_t data_len;
static size_t file_len;
static const wchar_t *wide_data = L"abcdef";
static size_t data_len;
static size_t file_len;
typedef int (*fputs_func_t) (const void *data, FILE *fp);
typedef void *(*fgets_func_t) (void *ws, int n, FILE *fp);
typedef int (*fputs_func_t) (const void *data, FILE *fp);
typedef void *(*fgets_func_t) (void *ws, int n, FILE *fp);
reading. */
if (test_modes[i].fd_mode != O_WRONLY)
{
reading. */
if (test_modes[i].fd_mode != O_WRONLY)
{
+ char tmpbuf[data_len * char_len];
- while (fgets_func (tmpbuf, sizeof (tmpbuf), fp) && !feof (fp));
+ while (fgets_func (tmpbuf, data_len, fp) && !feof (fp));
write_ret = write (fd, data, data_len);
if (write_ret != data_len)
write_ret = write (fd, data, data_len);
if (write_ret != data_len)
fgets_func = (fgets_func_t) fgets;
data = char_data;
data_len = strlen (char_data);
fgets_func = (fgets_func_t) fgets;
data = char_data;
data_len = strlen (char_data);
+ char_len = sizeof (char);
ret |= do_one_test (filename);
/* Truncate the file before repeating the tests in wide mode. */
ret |= do_one_test (filename);
/* Truncate the file before repeating the tests in wide mode. */
fgets_func = (fgets_func_t) fgetws;
data = wide_data;
data_len = wcslen (wide_data);
fgets_func = (fgets_func_t) fgetws;
data = wide_data;
data_len = wcslen (wide_data);
+ char_len = sizeof (wchar_t);
ret |= do_one_test (filename);
return ret;
ret |= do_one_test (filename);
return ret;