From 9d25c392ba73065ac20f518d1cef1cdc96860545 Mon Sep 17 00:00:00 2001
From: Andreas Schwab <schwab@redhat.com>
Date: Fri, 4 Mar 2011 00:48:00 -0500
Subject: [PATCH] Don't read past end of buffer in fmemopen

---
 ChangeLog        | 4 ++++
 libio/fmemopen.c | 4 ++--
 2 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index 2cfa1e4..16da2c1 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,7 @@
+2011-03-03  Andreas Schwab  <schwab@redhat.com>
+
+	* libio/fmemopen.c (fmemopen): Don't read past end of buffer.
+
 2011-03-03  Roland McGrath  <roland@redhat.com>
 
 	* setjmp/bits/setjmp2.h: Canonicalize comment formatting.
diff --git a/libio/fmemopen.c b/libio/fmemopen.c
index d3750fc..1a631d5 100644
--- a/libio/fmemopen.c
+++ b/libio/fmemopen.c
@@ -1,5 +1,5 @@
 /* Fmemopen implementation.
-   Copyright (C) 2000, 2002, 2005, 2006, 2008, 2009
+   Copyright (C) 2000, 2002, 2005, 2006, 2008, 2009, 2011
    Free Software Foundation, Inc.
    This file is part of the GNU C Library.
    Contributed by Hanno Mueller, kontakt@hanno.de, 2000.
@@ -243,7 +243,7 @@ fmemopen (void *buf, size_t len, const char *mode)
   if (mode[0] == 'w')
     c->buffer[0] = '\0';
 
-  c->maxpos = strlen (c->buffer);
+  c->maxpos = strnlen (c->buffer, len);
 
   if (mode[0] == 'a')
     c->pos = c->maxpos;
-- 
2.7.4