[Bug libc/2074] New: _IO_new_file_xsputn() in fileops.c not checking for EOF

["jfardo at laurelnetworks dot com" <sourceware-bugzilla at sourceware dot org>]

In glibc 2.3.4, the function new_do_write() in libio/fileops.c returns an 
unsigned
value (an _IO_size_t). If the underlying write system call in new_do_write()
returns EOF (-1), new_do_write() will return 0xffffffff rather than -1.

The function IO_new_file_xsputn() in libio/fileops.c appears to have
2 problems if the call to new_do_write() returns 0xffffffff. Here's
the specific snippet of code from IO_new_file_xsputn():
      if (do_write)
        {
          count = new_do_write (f, s, do_write);
          to_do -= count;
          if (count < do_write)
            return n - to_do;
        }
      /* Now write out the remainder.  Normally, this will fit in the
	 buffer, but it's somewhat messier for line-buffered files,
	 so we let _IO_default_xsputn handle the general case. */
      if (to_do)
	to_do -= INTUSE(_IO_default_xsputn) (f, s+do_write, to_do);
    }
  return n - to_do;


If new_do_write() returns 0xffffffff, 'to_do' will actually
be incremented by 1. Also, since 'count' is an unsigned quantity,
the if statement 'if (count < do_write)' will evaluate to false,
and the code will incorrectly fall through to the call to
IO_default_xsputn().

-- 
           Summary: _IO_new_file_xsputn() in fileops.c not checking for EOF
           Product: glibc
           Version: 2.3.4
            Status: NEW
          Severity: normal
          Priority: P2
         Component: libc
        AssignedTo: drepper at redhat dot com
        ReportedBy: jfardo at laurelnetworks dot com
                CC: glibc-bugs at sources dot redhat dot com
 GCC build triplet: i686-pc-linux-gnu
  GCC host triplet: i686-pc-linux-gnu
GCC target triplet: i686-pc-linux-gnu


http://sourceware.org/bugzilla/show_bug.cgi?id=2074

------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.