From: Rich Felker <dalias@aerifal.cx>
Date: Sat, 14 Jul 2018 01:56:27 +0000 (-0400)
Subject: fix writes outside buffer by ungetc after setvbuf
X-Git-Tag: v1.1.20~45
X-Git-Url: https://git.librecmc.org/?a=commitdiff_plain;h=9cad27a3dc1a4eb349b6591e4dc8cc89dce32277;p=oweals%2Fmusl.git

fix writes outside buffer by ungetc after setvbuf

commit 0b80a7b0404b6e49b0b724e3e3fe0ed5af3b08ef, which added non-stub
setvbuf, applied the UNGET pushback adjustment to the size of the
buffer passed in, but inadvertently omitted offsetting the start by
the same amount, thereby allowing unget to clobber up to 8 bytes
before the start of the buffer. this bug was introduced in the present
release cycle; no releases are affected.
---

diff --git a/src/stdio/setvbuf.c b/src/stdio/setvbuf.c
index b6b9b018..06ea296c 100644
--- a/src/stdio/setvbuf.c
+++ b/src/stdio/setvbuf.c
@@ -14,7 +14,7 @@ int setvbuf(FILE *restrict f, char *restrict buf, int type, size_t size)
 		f->buf_size = 0;
 	} else {
 		if (buf && size >= UNGET) {
-			f->buf = (void *)buf;
+			f->buf = (void *)(buf + UNGET);
 			f->buf_size = size - UNGET;
 		}
 		if (type == _IOLBF && f->buf_size)