From 805288c2f062e70e8a9147e980840dcb119a7aa9 Mon Sep 17 00:00:00 2001 From: Xin LI Date: Wed, 10 Dec 2014 08:18:22 +0000 Subject: [PATCH] In r268924 __fflush was modified so that when write(2) was not successful, _p and _w are adjusted to account for the partial write (if any). However, _p and _w should not be unconditionally adjusted and should only be changed when we actually wrote some bytes, or the accumulated accounting error will eventually result in a heap buffer overflow. Reported by: adrian and alfred (Norse Corporation) Security: FreeBSD-SA-14:27.stdio Security: CVE-2014-8611 --- lib/libc/stdio/fflush.c | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/lib/libc/stdio/fflush.c b/lib/libc/stdio/fflush.c index ef9b45b8b6f..123167a0912 100644 --- a/lib/libc/stdio/fflush.c +++ b/lib/libc/stdio/fflush.c @@ -124,11 +124,13 @@ __sflush(FILE *fp) t = _swrite(fp, (char *)p, n); if (t <= 0) { /* Reset _p and _w. */ - if (p > fp->_p) /* Some was written. */ + if (p > fp->_p) { + /* Some was written. */ memmove(fp->_p, p, n); - fp->_p += n; - if ((fp->_flags & (__SLBF | __SNBF)) == 0) - fp->_w -= n; + fp->_p += n; + if ((fp->_flags & (__SLBF | __SNBF)) == 0) + fp->_w -= n; + } fp->_flags |= __SERR; return (EOF); } -- 2.45.0