mirrors/glibc
1
0
Fork 0
mirror of https://sourceware.org/git/glibc.git synced 2024-11-24 18:23:41 +08:00
Code Issues Actions Packages Projects Releases Wiki Activity

fopencookie: Mangle function pointers stored on the heap [BZ #20222]

Browse Source
This commit is contained in:
Florian Weimer 2016-06-11 12:07:14 +02:00
parent bc24924027
commit 983fd5c41a
2 changed files with 46 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
ChangeLog
View File

@ -1,3 +1,14 @@
2016-06-11 Florian Weimer <fweimer@redhat.com>
[BZ #20222]
* libio/iofopncook.c (_IO_cookie_read): Demangle callback pointer.
(_IO_cookie_write): Likewise.
(_IO_cookie_seek): Likewise.
(_IO_cookie_close): Likewise.
(_IO_old_cookie_seek): Likewise.
(set_callbacks): New function.
(_IO_cookie_init): Call set_callbacks to copy callbacks.
2016-06-11 Marko Myllynen <myllynen@redhat.com> 2016-06-11 Marko Myllynen <myllynen@redhat.com>
* locale/programs/localedef.c (oldstyle_tables): Remove. * locale/programs/localedef.c (oldstyle_tables): Remove.

49
libio/iofopncook.c
View File

@ -43,25 +43,29 @@ static _IO_ssize_t
_IO_cookie_read (_IO_FILE *fp, void *buf, _IO_ssize_t size) _IO_cookie_read (_IO_FILE *fp, void *buf, _IO_ssize_t size)
{ {
struct _IO_cookie_file *cfile = (struct _IO_cookie_file *) fp; struct _IO_cookie_file *cfile = (struct _IO_cookie_file *) fp;
cookie_read_function_t *read_cb = cfile->__io_functions.read;
PTR_DEMANGLE (read_cb);
if (cfile->__io_functions.read == NULL) if (read_cb == NULL)
return -1; return -1;
return cfile->__io_functions.read (cfile->__cookie, buf, size); return read_cb (cfile->__cookie, buf, size);
} }
static _IO_ssize_t static _IO_ssize_t
_IO_cookie_write (_IO_FILE *fp, const void *buf, _IO_ssize_t size) _IO_cookie_write (_IO_FILE *fp, const void *buf, _IO_ssize_t size)
{ {
struct _IO_cookie_file *cfile = (struct _IO_cookie_file *) fp; struct _IO_cookie_file *cfile = (struct _IO_cookie_file *) fp;
cookie_write_function_t *write_cb = cfile->__io_functions.write;
PTR_DEMANGLE (write_cb);
if (cfile->__io_functions.write == NULL) if (write_cb == NULL)
{ {
fp->_flags |= _IO_ERR_SEEN; fp->_flags |= _IO_ERR_SEEN;
return 0; return 0;
} }
_IO_ssize_t n = cfile->__io_functions.write (cfile->__cookie, buf, size); _IO_ssize_t n = write_cb (cfile->__cookie, buf, size);
if (n < size) if (n < size)
fp->_flags |= _IO_ERR_SEEN; fp->_flags |= _IO_ERR_SEEN;
@ -72,9 +76,11 @@ static _IO_off64_t
_IO_cookie_seek (_IO_FILE *fp, _IO_off64_t offset, int dir) _IO_cookie_seek (_IO_FILE *fp, _IO_off64_t offset, int dir)
{ {
struct _IO_cookie_file *cfile = (struct _IO_cookie_file *) fp; struct _IO_cookie_file *cfile = (struct _IO_cookie_file *) fp;
cookie_seek_function_t *seek_cb = cfile->__io_functions.seek;
PTR_DEMANGLE (seek_cb);
return ((cfile->__io_functions.seek == NULL return ((seek_cb == NULL
|| (cfile->__io_functions.seek (cfile->__cookie, &offset, dir) || (seek_cb (cfile->__cookie, &offset, dir)
== -1) == -1)
|| offset == (_IO_off64_t) -1) || offset == (_IO_off64_t) -1)
? _IO_pos_BAD : offset); ? _IO_pos_BAD : offset);
@ -84,11 +90,13 @@ static int
_IO_cookie_close (_IO_FILE *fp) _IO_cookie_close (_IO_FILE *fp)
{ {
struct _IO_cookie_file *cfile = (struct _IO_cookie_file *) fp; struct _IO_cookie_file *cfile = (struct _IO_cookie_file *) fp;
cookie_close_function_t *close_cb = cfile->__io_functions.close;
PTR_DEMANGLE (close_cb);
if (cfile->__io_functions.close == NULL) if (close_cb == NULL)
return 0; return 0;
return cfile->__io_functions.close (cfile->__cookie); return close_cb (cfile->__cookie);
} }
@ -126,6 +134,19 @@ static const struct _IO_jump_t _IO_cookie_jumps = {
}; };
/* Copy the callbacks from SOURCE to *TARGET, with pointer
mangling. */
static void
set_callbacks (_IO_cookie_io_functions_t *target,
_IO_cookie_io_functions_t source)
{
PTR_MANGLE (source.read);
PTR_MANGLE (source.write);
PTR_MANGLE (source.seek);
PTR_MANGLE (source.close);
*target = source;
}
void void
_IO_cookie_init (struct _IO_cookie_file *cfile, int read_write, _IO_cookie_init (struct _IO_cookie_file *cfile, int read_write,
void *cookie, _IO_cookie_io_functions_t io_functions) void *cookie, _IO_cookie_io_functions_t io_functions)
@ -134,7 +155,7 @@ _IO_cookie_init (struct _IO_cookie_file *cfile, int read_write,
_IO_JUMPS (&cfile->__fp) = &_IO_cookie_jumps; _IO_JUMPS (&cfile->__fp) = &_IO_cookie_jumps;
cfile->__cookie = cookie; cfile->__cookie = cookie;
cfile->__io_functions = io_functions; set_callbacks (&cfile->__io_functions, io_functions);
_IO_file_init (&cfile->__fp); _IO_file_init (&cfile->__fp);
@ -205,14 +226,14 @@ attribute_compat_text_section
_IO_old_cookie_seek (_IO_FILE *fp, _IO_off64_t offset, int dir) _IO_old_cookie_seek (_IO_FILE *fp, _IO_off64_t offset, int dir)
{ {
struct _IO_cookie_file *cfile = (struct _IO_cookie_file *) fp; struct _IO_cookie_file *cfile = (struct _IO_cookie_file *) fp;
int (*seek) (_IO_FILE *, _IO_off_t, int); int (*seek_cb) (_IO_FILE *, _IO_off_t, int)
int ret; = (int (*) (_IO_FILE *, _IO_off_t, int)) cfile->__io_functions.seek;;
PTR_DEMANGLE (seek_cb);
seek = (int (*)(_IO_FILE *, _IO_off_t, int)) cfile->__io_functions.seek; if (seek_cb == NULL)
if (seek == NULL)
return _IO_pos_BAD; return _IO_pos_BAD;
ret = seek (cfile->__cookie, offset, dir); int ret = seek_cb (cfile->__cookie, offset, dir);
return (ret == -1) ? _IO_pos_BAD : ret; return (ret == -1) ? _IO_pos_BAD : ret;
} }