From 8a29509dd9aa179bfe4ef96d49d72f6816ec878f Mon Sep 17 00:00:00 2001
From: Paul Pluzhnikov <ppluzhnikov@google.com>
Date: Wed, 12 Aug 2015 18:56:08 -0700
Subject: [PATCH] Fix BZ #16734 -- fopen calls mmap to allocate its buffer

---
 ChangeLog            | 15 +++++++++++++++
 NEWS                 |  4 ++--
 libio/filedoalloc.c  |  4 +++-
 libio/genops.c       | 12 +++++++-----
 libio/libio.h        |  3 +--
 libio/libioP.h       | 40 ----------------------------------------
 libio/wfiledoalloc.c |  4 +++-
 libio/wgenops.c      |  9 +++++----
 8 files changed, 36 insertions(+), 55 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index 24e029e..5f94da6 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,18 @@
+2015-08-12  Paul Pluzhnikov  <ppluzhnikov@google.com>
+
+	[BZ #16734]
+	* libio/libioP.h (ROUND_TO_PAGE, ALLOC_BUF, ALLOC_WBUF): Delete.
+	(FREE_BUF): Delete.
+	* libio/libio.h (_IO_FILE_complete): Delete unused _freeres_size.
+	* libio/genops.c (_IO_setb): Use malloc and free directly.
+	(_IO_default_doallocate, _IO_default_finish): Likewise.
+	( _IO_unbuffer_all): Likewise.
+	( libc_freeres_fn): Likewise.
+	* libio/filedoalloc.c (_IO_file_doallocate): Likewise.
+	* libio/wfiledoalloc.c (_IO_wfile_doallocate): Likewise.
+	* libio/wgenops.c (_IO_wsetb, _IO_wdefault_finish): Likewise.
+	(_IO_wdefault_doallocate): Likewise.
+
 2015-08-11  Paul Pluzhnikov  <ppluzhnikov@google.com>
 
 	[BZ #18086]
diff --git a/NEWS b/NEWS
index c6a2c2c..97ab768 100644
--- a/NEWS
+++ b/NEWS
@@ -9,8 +9,8 @@ Version 2.23
 
 * The following bugs are resolved with this release:
 
-  16517, 16519, 17905, 18086, 18265, 18480, 18525, 18618, 18647, 18661,
-  18674, 18778, 18781, 18787, 18789, 18790.
+  16517, 16519, 16734, 17905, 18086, 18265, 18480, 18525, 18618, 18647,
+  18661, 18674, 18778, 18781, 18787, 18789, 18790.
 
 
 Version 2.22
diff --git a/libio/filedoalloc.c b/libio/filedoalloc.c
index 918a24a..78aa3d5 100644
--- a/libio/filedoalloc.c
+++ b/libio/filedoalloc.c
@@ -125,7 +125,9 @@ _IO_file_doallocate (fp)
 	size = st.st_blksize;
 #endif
     }
-  ALLOC_BUF (p, size, EOF);
+  p = malloc (size);
+  if (__glibc_unlikely (p == NULL))
+    return EOF;
   _IO_setb (fp, p, p + size, 1);
   return 1;
 }
diff --git a/libio/genops.c b/libio/genops.c
index e13b3d1..45c9d41 100644
--- a/libio/genops.c
+++ b/libio/genops.c
@@ -398,7 +398,7 @@ _IO_setb (f, b, eb, a)
      int a;
 {
   if (f->_IO_buf_base && !(f->_flags & _IO_USER_BUF))
-    FREE_BUF (f->_IO_buf_base, _IO_blen (f));
+    free (f->_IO_buf_base);
   f->_IO_buf_base = b;
   f->_IO_buf_end = eb;
   if (a)
@@ -587,7 +587,10 @@ _IO_default_doallocate (fp)
 {
   char *buf;
 
-  ALLOC_BUF (buf, _IO_BUFSIZ, EOF);
+  buf = malloc(_IO_BUFSIZ);
+  if (__glibc_unlikely (buf == NULL))
+    return EOF;
+
   _IO_setb (fp, buf, buf+_IO_BUFSIZ, 1);
   return 1;
 }
@@ -687,7 +690,7 @@ _IO_default_finish (fp, dummy)
   struct _IO_marker *mark;
   if (fp->_IO_buf_base && !(fp->_flags & _IO_USER_BUF))
     {
-      FREE_BUF (fp->_IO_buf_base, _IO_blen (fp));
+      free (fp->_IO_buf_base);
       fp->_IO_buf_base = fp->_IO_buf_end = NULL;
     }
 
@@ -972,7 +975,6 @@ _IO_unbuffer_all (void)
 	      fp->_freeres_list = freeres_list;
 	      freeres_list = fp;
 	      fp->_freeres_buf = fp->_IO_buf_base;
-	      fp->_freeres_size = _IO_blen (fp);
 	    }
 
 	  _IO_SETBUF (fp, NULL, 0);
@@ -999,7 +1001,7 @@ libc_freeres_fn (buffer_free)
 
   while (freeres_list != NULL)
     {
-      FREE_BUF (freeres_list->_freeres_buf, freeres_list->_freeres_size);
+      free (freeres_list->_freeres_buf);
 
       freeres_list = freeres_list->_freeres_list;
     }
diff --git a/libio/libio.h b/libio/libio.h
index 9ff1fb0..08e0347 100644
--- a/libio/libio.h
+++ b/libio/libio.h
@@ -297,14 +297,13 @@ struct _IO_FILE_complete
   struct _IO_wide_data *_wide_data;
   struct _IO_FILE *_freeres_list;
   void *_freeres_buf;
-  size_t _freeres_size;
 # else
   void *__pad1;
   void *__pad2;
   void *__pad3;
   void *__pad4;
-  size_t __pad5;
 # endif
+  size_t __pad5;
   int _mode;
   /* Make sure we don't get into trouble again.  */
   char _unused2[15 * sizeof (int) - 4 * sizeof (void *) - sizeof (size_t)];
diff --git a/libio/libioP.h b/libio/libioP.h
index 0f16e2d..36170ea 100644
--- a/libio/libioP.h
+++ b/libio/libioP.h
@@ -760,46 +760,6 @@ extern _IO_off64_t _IO_seekpos_unlocked (_IO_FILE *, _IO_off64_t, int)
 #  define munmap __munmap
 #  define ftruncate __ftruncate
 # endif
-
-# define ROUND_TO_PAGE(_S) \
-       (((_S) + EXEC_PAGESIZE - 1) & ~(EXEC_PAGESIZE - 1))
-
-# define FREE_BUF(_B, _S) \
-       munmap ((_B), ROUND_TO_PAGE (_S))
-# define ALLOC_BUF(_B, _S, _R) \
-       do {								      \
-	  (_B) = (char *) mmap (0, ROUND_TO_PAGE (_S),			      \
-				PROT_READ | PROT_WRITE,			      \
-				MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);	      \
-	  if ((_B) == (char *) MAP_FAILED)				      \
-	    return (_R);						      \
-       } while (0)
-# define ALLOC_WBUF(_B, _S, _R) \
-       do {								      \
-	  (_B) = (wchar_t *) mmap (0, ROUND_TO_PAGE (_S),		      \
-				   PROT_READ | PROT_WRITE,		      \
-				   MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);	      \
-	  if ((_B) == (wchar_t *) MAP_FAILED)				      \
-	    return (_R);						      \
-       } while (0)
-
-#else /* _G_HAVE_MMAP */
-
-# define FREE_BUF(_B, _S) \
-       free(_B)
-# define ALLOC_BUF(_B, _S, _R) \
-       do {								      \
-	  (_B) = (char*)malloc(_S);					      \
-	  if ((_B) == NULL)						      \
-	    return (_R);						      \
-       } while (0)
-# define ALLOC_WBUF(_B, _S, _R) \
-       do {								      \
-	  (_B) = (wchar_t *)malloc(_S);					      \
-	  if ((_B) == NULL)						      \
-	    return (_R);						      \
-       } while (0)
-
 #endif /* _G_HAVE_MMAP */
 
 #ifndef OS_FSTAT
diff --git a/libio/wfiledoalloc.c b/libio/wfiledoalloc.c
index 12425fd..4acf3f8 100644
--- a/libio/wfiledoalloc.c
+++ b/libio/wfiledoalloc.c
@@ -95,7 +95,9 @@ _IO_wfile_doallocate (fp)
   size = fp->_IO_buf_end - fp->_IO_buf_base;
   if ((fp->_flags & _IO_USER_BUF))
     size = (size + sizeof (wchar_t) - 1) / sizeof (wchar_t);
-  ALLOC_WBUF (p, size * sizeof (wchar_t), EOF);
+  p = malloc (size * sizeof (wchar_t));
+  if (__glibc_unlikely (p == NULL))
+    return EOF;
   _IO_wsetb (fp, p, p + size, 1);
   return 1;
 }
diff --git a/libio/wgenops.c b/libio/wgenops.c
index 69f3b95..e7d2d1c 100644
--- a/libio/wgenops.c
+++ b/libio/wgenops.c
@@ -111,7 +111,7 @@ _IO_wsetb (f, b, eb, a)
      int a;
 {
   if (f->_wide_data->_IO_buf_base && !(f->_flags2 & _IO_FLAGS2_USER_WBUF))
-    FREE_BUF (f->_wide_data->_IO_buf_base, _IO_wblen (f) * sizeof (wchar_t));
+    free (f->_wide_data->_IO_buf_base);
   f->_wide_data->_IO_buf_base = b;
   f->_wide_data->_IO_buf_end = eb;
   if (a)
@@ -195,8 +195,7 @@ _IO_wdefault_finish (fp, dummy)
   struct _IO_marker *mark;
   if (fp->_wide_data->_IO_buf_base && !(fp->_flags2 & _IO_FLAGS2_USER_WBUF))
     {
-      FREE_BUF (fp->_wide_data->_IO_buf_base,
-		_IO_wblen (fp) * sizeof (wchar_t));
+      free (fp->_wide_data->_IO_buf_base);
       fp->_wide_data->_IO_buf_base = fp->_wide_data->_IO_buf_end = NULL;
     }
 
@@ -426,7 +425,9 @@ _IO_wdefault_doallocate (fp)
 {
   wchar_t *buf;
 
-  ALLOC_WBUF (buf, _IO_BUFSIZ, EOF);
+  buf = malloc (_IO_BUFSIZ);
+  if (__glibc_unlikely (buf == NULL))
+    return EOF;
   _IO_wsetb (fp, buf, buf + _IO_BUFSIZ, 1);
   return 1;
 }
-- 
2.7.4