[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Sat, 10 Jul 2021 15:10:26 +0200 (CEST)
From: jason <jason@...omnia247.nl>
To: musl@...ts.openwall.com
Cc: jason@...omnia247.nl
Subject: Bug in src/stdio/fread.c
If you look at the code:
size_t fread(void *restrict destv, size_t size, size_t nmemb, FILE *restrict f)
{
unsigned char *dest = destv;
size_t len = size*nmemb, l = len, k;
if (!size) nmemb = 0;
FLOCK(f);
f->mode |= f->mode-1;
if (f->rpos != f->rend) {
/* First exhaust the buffer. */
k = MIN(f->rend - f->rpos, l);
memcpy(dest, f->rpos, k);
f->rpos += k;
dest += k;
l -= k;
}
/* Read the remainder directly */
for (; l; l-=k, dest+=k) {
k = __toread(f) ? 0 : f->read(f, dest, l);
if (!k) {
FUNLOCK(f);
return (len-l)/size;
}
}
FUNLOCK(f);
return nmemb;
}
Consider what happens when f->rpos == f->rend: k is used uninitialized.
My suggested fix is:
- if (f->rpos != f->rend) {
+ k = f->rend - f->rpos;
+ if (!k) {
/* First exhaust the buffer. */
- k = MIN(f->rend - f->rpos, l);
+ k = MIN(k, l);
Powered by blists - more mailing lists
Confused about mailing lists and their use?
Read about mailing lists on Wikipedia
and check out these
guidelines on proper formatting of your messages.
