Blame SOURCES/glibc-rh1372305.patch

147e83
commit 983fd5c41ab7e5a5c33922259ca1ac99b3b413f8
147e83
Author: Florian Weimer <fweimer@redhat.com>
147e83
Date:   Sat Jun 11 12:07:14 2016 +0200
147e83
147e83
    fopencookie: Mangle function pointers stored on the heap [BZ #20222]
147e83
147e83
diff --git a/libio/iofopncook.c b/libio/iofopncook.c
147e83
index 5dcbe51f11182b68..b1c0d7f6ccc4db15 100644
147e83
--- a/libio/iofopncook.c
147e83
+++ b/libio/iofopncook.c
147e83
@@ -46,11 +46,13 @@ _IO_cookie_read (fp, buf, size)
147e83
      _IO_ssize_t size;
147e83
 {
147e83
   struct _IO_cookie_file *cfile = (struct _IO_cookie_file *) fp;
147e83
+  cookie_read_function_t *read_cb = cfile->__io_functions.read;
147e83
+  PTR_DEMANGLE (read_cb);
147e83
 
147e83
-  if (cfile->__io_functions.read == NULL)
147e83
+  if (read_cb == NULL)
147e83
     return -1;
147e83
 
147e83
-  return cfile->__io_functions.read (cfile->__cookie, buf, size);
147e83
+  return read_cb (cfile->__cookie, buf, size);
147e83
 }
147e83
 
147e83
 static _IO_ssize_t
147e83
@@ -60,14 +62,16 @@ _IO_cookie_write (fp, buf, size)
147e83
      _IO_ssize_t size;
147e83
 {
147e83
   struct _IO_cookie_file *cfile = (struct _IO_cookie_file *) fp;
147e83
+  cookie_write_function_t *write_cb = cfile->__io_functions.write;
147e83
+  PTR_DEMANGLE (write_cb);
147e83
 
147e83
-  if (cfile->__io_functions.write == NULL)
147e83
+  if (write_cb == NULL)
147e83
     {
147e83
       fp->_flags |= _IO_ERR_SEEN;
147e83
       return 0;
147e83
     }
147e83
 
147e83
-  _IO_ssize_t n = cfile->__io_functions.write (cfile->__cookie, buf, size);
147e83
+  _IO_ssize_t n = write_cb (cfile->__cookie, buf, size);
147e83
   if (n < size)
147e83
     fp->_flags |= _IO_ERR_SEEN;
147e83
 
147e83
@@ -81,9 +85,11 @@ _IO_cookie_seek (fp, offset, dir)
147e83
      int dir;
147e83
 {
147e83
   struct _IO_cookie_file *cfile = (struct _IO_cookie_file *) fp;
147e83
+  cookie_seek_function_t *seek_cb = cfile->__io_functions.seek;
147e83
+  PTR_DEMANGLE (seek_cb);
147e83
 
147e83
-  return ((cfile->__io_functions.seek == NULL
147e83
-	   || (cfile->__io_functions.seek (cfile->__cookie, &offset, dir)
147e83
+  return ((seek_cb == NULL
147e83
+	   || (seek_cb (cfile->__cookie, &offset, dir)
147e83
 	       == -1)
147e83
 	   || offset == (_IO_off64_t) -1)
147e83
 	  ? _IO_pos_BAD : offset);
147e83
@@ -94,11 +100,13 @@ _IO_cookie_close (fp)
147e83
      _IO_FILE *fp;
147e83
 {
147e83
   struct _IO_cookie_file *cfile = (struct _IO_cookie_file *) fp;
147e83
+  cookie_close_function_t *close_cb = cfile->__io_functions.close;
147e83
+  PTR_DEMANGLE (close_cb);
147e83
 
147e83
-  if (cfile->__io_functions.close == NULL)
147e83
+  if (close_cb == NULL)
147e83
     return 0;
147e83
 
147e83
-  return cfile->__io_functions.close (cfile->__cookie);
147e83
+  return close_cb (cfile->__cookie);
147e83
 }
147e83
 
147e83
 
147e83
@@ -140,6 +148,19 @@ static const struct _IO_jump_t _IO_cookie_jumps libio_vtable = {
147e83
 };
147e83
 
147e83
 
147e83
+/* Copy the callbacks from SOURCE to *TARGET, with pointer
147e83
+   mangling.  */
147e83
+static void
147e83
+set_callbacks (_IO_cookie_io_functions_t *target,
147e83
+	       _IO_cookie_io_functions_t source)
147e83
+{
147e83
+  PTR_MANGLE (source.read);
147e83
+  PTR_MANGLE (source.write);
147e83
+  PTR_MANGLE (source.seek);
147e83
+  PTR_MANGLE (source.close);
147e83
+  *target = source;
147e83
+}
147e83
+
147e83
 void
147e83
 _IO_cookie_init (struct _IO_cookie_file *cfile, int read_write,
147e83
 		 void *cookie, _IO_cookie_io_functions_t io_functions)
147e83
@@ -148,7 +169,7 @@ _IO_cookie_init (struct _IO_cookie_file *cfile, int read_write,
147e83
   _IO_JUMPS (&cfile->__fp) = &_IO_cookie_jumps;
147e83
 
147e83
   cfile->__cookie = cookie;
147e83
-  cfile->__io_functions = io_functions;
147e83
+  set_callbacks (&cfile->__io_functions, io_functions);
147e83
 
147e83
   _IO_new_file_init_internal (&cfile->__fp);
147e83
 
147e83
@@ -223,14 +244,14 @@ _IO_old_cookie_seek (fp, offset, dir)
147e83
      int dir;
147e83
 {
147e83
   struct _IO_cookie_file *cfile = (struct _IO_cookie_file *) fp;
147e83
-  int (*seek) (_IO_FILE *, _IO_off_t, int);
147e83
-  int ret;
147e83
+  int (*seek_cb) (_IO_FILE *, _IO_off_t, int)
147e83
+    = (int (*) (_IO_FILE *, _IO_off_t, int)) cfile->__io_functions.seek;;
147e83
+  PTR_DEMANGLE (seek_cb);
147e83
 
147e83
-  seek = (int (*)(_IO_FILE *, _IO_off_t, int)) cfile->__io_functions.seek;
147e83
-  if (seek == NULL)
147e83
+  if (seek_cb == NULL)
147e83
     return _IO_pos_BAD;
147e83
 
147e83
-  ret = seek (cfile->__cookie, offset, dir);
147e83
+  int ret = seek_cb (cfile->__cookie, offset, dir);
147e83
 
147e83
   return (ret == -1) ? _IO_pos_BAD : ret;
147e83
 }