65 lines
1.4 KiB
Diff
65 lines
1.4 KiB
Diff
From 1527ac4626b4bf1bcc46203481003a7f33e2aca5 Mon Sep 17 00:00:00 2001
|
|
From: Szabolcs Nagy <szabolcs.nagy@arm.com>
|
|
Date: Tue, 21 Jun 2022 14:43:30 +0100
|
|
Subject: [PATCH] Fix invalid pointer dereference in wcscpy_chk
|
|
|
|
The src pointer is const and points to a different object, so accessing
|
|
dest via src is invalid.
|
|
|
|
Reviewed-by: Florian Weimer <fweimer@redhat.com>
|
|
---
|
|
debug/wcscpy_chk.c | 34 +++++++---------------------------
|
|
1 file changed, 7 insertions(+), 27 deletions(-)
|
|
|
|
diff --git a/debug/wcscpy_chk.c b/debug/wcscpy_chk.c
|
|
index dfe475da..8115b00e 100644
|
|
--- a/debug/wcscpy_chk.c
|
|
+++ b/debug/wcscpy_chk.c
|
|
@@ -25,36 +25,16 @@ wchar_t *
|
|
__wcscpy_chk (wchar_t *dest, const wchar_t *src, size_t n)
|
|
{
|
|
wint_t c;
|
|
- wchar_t *wcp;
|
|
+ wchar_t *wcp = dest;
|
|
|
|
- if (__alignof__ (wchar_t) >= sizeof (wchar_t))
|
|
+ do
|
|
{
|
|
- const ptrdiff_t off = dest - src - 1;
|
|
-
|
|
- wcp = (wchar_t *) src;
|
|
-
|
|
- do
|
|
- {
|
|
- if (__glibc_unlikely (n-- == 0))
|
|
- __chk_fail ();
|
|
- c = *wcp++;
|
|
- wcp[off] = c;
|
|
- }
|
|
- while (c != L'\0');
|
|
- }
|
|
- else
|
|
- {
|
|
- wcp = dest;
|
|
-
|
|
- do
|
|
- {
|
|
- if (__glibc_unlikely (n-- == 0))
|
|
- __chk_fail ();
|
|
- c = *src++;
|
|
- *wcp++ = c;
|
|
- }
|
|
- while (c != L'\0');
|
|
+ if (__glibc_unlikely (n-- == 0))
|
|
+ __chk_fail ();
|
|
+ c = *src++;
|
|
+ *wcp++ = c;
|
|
}
|
|
+ while (c != L'\0');
|
|
|
|
return dest;
|
|
}
|
|
--
|
|
2.27.0
|
|
|