fix writes outside buffer by ungetc after setvbuf

commit 0b80a7b0404b6e49b0b724e3e3fe0ed5af3b08ef, which added non-stub
setvbuf, applied the UNGET pushback adjustment to the size of the
buffer passed in, but inadvertently omitted offsetting the start by
the same amount, thereby allowing unget to clobber up to 8 bytes
before the start of the buffer. this bug was introduced in the present
release cycle; no releases are affected.

diff --git a/src/stdio/setvbuf.c b/src/stdio/setvbuf.c
index b6b9b018d6510b7a47975a2f6b7d5bb93c7a19d3..06ea296c6a64202ed4f95e23c6af884f5305e1e7 100644 (file)
--- a/src/stdio/setvbuf.c
+++ b/src/stdio/setvbuf.c
@@ -14,7 +14,7 @@ int setvbuf(FILE *restrict f, char *restrict buf, int type, size_t size)
                f->buf_size = 0;
        } else {
                if (buf && size >= UNGET) {
-                       f->buf = (void *)buf;
+                       f->buf = (void *)(buf + UNGET);
                        f->buf_size = size - UNGET;
                }
                if (type == _IOLBF && f->buf_size)