Skip to content

Commit

Permalink
For line-buffered streams the __sflush() function did not correctly u…
Browse files Browse the repository at this point in the history
…pdate

the FILE object's write space member when the write(2) system call returns
an error.

Depending on the nature of an application that calls libc's stdio functions
and the presence of errors returned from the write(2) system call (or an
overridden stdio write routine) a heap buffer overfly may occur.  Such
overflows may lead to data corruption or the execution of arbitrary code at
the privilege level of the calling program.

Obtained from: FreeBSD
  • Loading branch information
laffer1 committed Nov 8, 2023
1 parent 91f3d90 commit 7389a92
Showing 1 changed file with 9 additions and 10 deletions.
19 changes: 9 additions & 10 deletions lib/libc/stdio/fflush.c
Original file line number Diff line number Diff line change
Expand Up @@ -105,10 +105,10 @@ int
__sflush(FILE *fp)
{
unsigned char *p;
int n, t;
int n, f, t;

t = fp->_flags;
if ((t & __SWR) == 0)
f = fp->_flags;
if ((f & __SWR) == 0)
return (0);

if ((p = fp->_bf._base) == NULL)
Expand All @@ -121,19 +121,18 @@ __sflush(FILE *fp)
* exchange buffering (via setvbuf) in user write function.
*/
fp->_p = p;
fp->_w = t & (__SLBF|__SNBF) ? 0 : fp->_bf._size;
fp->_w = f & (__SLBF|__SNBF) ? 0 : fp->_bf._size;

for (; n > 0; n -= t, p += t) {
t = _swrite(fp, (char *)p, n);
if (t <= 0) {
/* Reset _p and _w. */
if (p > fp->_p) {
if (p > fp->_p)
/* Some was written. */
memmove(fp->_p, p, n);
fp->_p += n;
if ((fp->_flags & (__SLBF | __SNBF)) == 0)
fp->_w -= n;
}
/* Reset _p and _w. */
fp->_p += n;
if ((fp->_flags & __SNBF) == 0)
fp->_w -= n;
fp->_flags |= __SERR;
return (EOF);
}
Expand Down

0 comments on commit 7389a92

Please sign in to comment.