This is the mail archive of the
newlib@sourceware.org
mailing list for the newlib project.
[patch] Fix buffer overflow in wctob
- From: Corinna Vinschen <vinschen at redhat dot com>
- To: newlib at sourceware dot org
- Date: Sun, 2 May 2010 13:55:02 +0200
- Subject: [patch] Fix buffer overflow in wctob
- Reply-to: newlib at sourceware dot org
Hi,
A report on the Cygwin ML pointed out a buffer overflow in newlib's
wctob implementation:
http://cygwin.com/ml/cygwin/2010-05/msg00015.html
I've applied the below fix.
Corinna
* libc/stdlib/wctob.c (wctob): Reorganize and fix WEOF check. Rename
pwc to pmb and convert to array to avoid buffer overflow. Rename c to
wc. Check wc for WEOF instead of for EOF. Return first byte of pmb if
__wctomb conversion returned exactly one byte, EOF otherwise.
Index: libc/stdlib/wctob.c
===================================================================
RCS file: /cvs/src/src/newlib/libc/stdlib/wctob.c,v
retrieving revision 1.4
diff -u -p -r1.4 wctob.c
--- libc/stdlib/wctob.c 18 Nov 2009 09:49:57 -0000 1.4
+++ libc/stdlib/wctob.c 2 May 2010 11:53:49 -0000
@@ -1,26 +1,24 @@
#include <reent.h>
#include <wchar.h>
-#include <stdlib.h>
#include <stdio.h>
#include <string.h>
+#include <limits.h>
#include "local.h"
int
-wctob (wint_t c)
+wctob (wint_t wc)
{
mbstate_t mbs;
- int retval = 0;
- unsigned char pwc;
+ unsigned char pmb[MB_LEN_MAX];
+
+ if (wc == WEOF)
+ return EOF;
/* Put mbs in initial state. */
memset (&mbs, '\0', sizeof (mbs));
_REENT_CHECK_MISC(_REENT);
- retval = __wctomb (_REENT, &pwc, c, __locale_charset (), &mbs);
-
- if (c == EOF || retval != 1)
- return WEOF;
- else
- return (int)pwc;
+ return __wctomb (_REENT, (char *) pmb, wc, __locale_charset (), &mbs) == 1
+ ? (int) pmb[0] : EOF;
}
--
Corinna Vinschen
Cygwin Project Co-Leader
Red Hat