diff --git a/NEWS b/NEWS index 28ef45d..660fbe0 100644 --- a/NEWS +++ b/NEWS @@ -10,8 +10,8 @@ Version 2.22 * The following bugs are resolved with this release: 4719, 13064, 14094, 15319, 15467, 15790, 16560, 17269, 17569, 17588, - 17792, 17912, 17932, 17944, 17949, 17964, 17965, 17967, 17969, 17978, - 17987, 17991, 17996, 17998, 17999. + 17792, 17912, 17916, 17932, 17944, 17949, 17964, 17965, 17967, 17969, + 17978, 17987, 17991, 17996, 17998, 17999. * Character encoding and ctype tables were updated to Unicode 7.0.0, using new generator scripts contributed by Pravin Satpute and Mike FABIAN (Red diff --git a/libio/fileops.c b/libio/fileops.c index 297b478..c6ad2cf 100644 --- a/libio/fileops.c +++ b/libio/fileops.c @@ -353,7 +353,10 @@ _IO_new_file_fopen (_IO_FILE *fp, const char *filename, const char *mode, struct gconv_fcts fcts; struct _IO_codecvt *cc; char *endp = __strchrnul (cs + 5, ','); - char ccs[endp - (cs + 5) + 3]; + char *ccs = malloc (endp - (cs + 5) + 3); + + if (ccs == NULL) + return NULL; *((char *) __mempcpy (ccs, cs + 5, endp - (cs + 5))) = '\0'; strip (ccs, ccs); @@ -365,10 +368,13 @@ _IO_new_file_fopen (_IO_FILE *fp, const char *filename, const char *mode, This means we cannot proceed since the user explicitly asked for these. */ (void) _IO_file_close_it (fp); + free (ccs); __set_errno (EINVAL); return NULL; } + free (ccs); + assert (fcts.towc_nsteps == 1); assert (fcts.tomb_nsteps == 1); diff --git a/libio/tst-fopenloc.c b/libio/tst-fopenloc.c index 1336023..ddabc0a 100644 --- a/libio/tst-fopenloc.c +++ b/libio/tst-fopenloc.c @@ -57,6 +57,21 @@ do_test (void) fclose (fp); + /* BZ #17916 -- check invalid large ccs= case. */ + const size_t sz = 1 << 24; /* 16MiB */ + char *ccs = malloc (sz); + strcpy (ccs, "r,ccs="); + memset (ccs + 6, 'A', sz - 6 - 1); + ccs[sz - 1] = '\0'; + + fp = fopen (inputfile, ccs); + if (fp != NULL) + { + printf ("unxpected success\n"); + return 1; + } + free (ccs); + return 0; }