From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <bug-gnulib-bounces+normalperson=yhbt.net@gnu.org>
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on dcvr.yhbt.net
X-Spam-Level: 
X-Spam-ASN: AS22989 209.51.188.0/24
X-Spam-Status: No, score=-3.7 required=3.0 tests=AWL,BAYES_00,DKIM_INVALID,
	DKIM_SIGNED,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,
	RCVD_IN_DNSWL_MED,RCVD_IN_MSPIKE_H2,SPF_HELO_PASS,SPF_PASS
	shortcircuit=no autolearn=ham autolearn_force=no version=3.4.6
Received: from lists.gnu.org (lists.gnu.org [209.51.188.17])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by dcvr.yhbt.net (Postfix) with ESMTPS id 446FA1F47C
	for <normalperson@yhbt.net>; Tue, 17 Jan 2023 18:25:53 +0000 (UTC)
Authentication-Results: dcvr.yhbt.net;
	dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=clisp.org header.i=@clisp.org header.a=rsa-sha256 header.s=strato-dkim-0002 header.b=cA6RJkKf;
	dkim-atps=neutral
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <bug-gnulib-bounces@gnu.org>)
	id 1pHqeS-00042l-5A; Tue, 17 Jan 2023 13:25:40 -0500
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <bruno@clisp.org>) id 1pHqeQ-00042M-RQ
 for bug-gnulib@gnu.org; Tue, 17 Jan 2023 13:25:38 -0500
Received: from mo4-p00-ob.smtp.rzone.de ([85.215.255.25])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <bruno@clisp.org>) id 1pHqeO-0006UT-DW
 for bug-gnulib@gnu.org; Tue, 17 Jan 2023 13:25:38 -0500
ARC-Seal: i=1; a=rsa-sha256; t=1673979932; cv=none;
 d=strato.com; s=strato-dkim-0002;
 b=e0Vh6BKNqBXDEVtO1tfuP52u9D/EhH01ecz9tvc+NIkRtr95jqD0e2tyYv5hNcNr/a
 AM4ZWaBMu/eAWGElhCgmclsSD6xwssChvIZLM5Mf4MBh0K+PP2j6ZJ5oKs3BpT+gsXrd
 ibqUjjI2JJdsglRE570NlQMSFcy83xYzh0fLwBocPDhdCqcbPhOUg931S8EzyK3XfE2O
 0b/yosVO/T8BkOLEPm1eukQGtK9Tb+bRi/zVQ25Ss9RXEywBLY7RgXYSG504fpx9gSaY
 6VxEeMVa/rPDKAOEi6wkxqcIEWkDw/eKia29qnp9dc0ky7W/jL6nPT6ab3oQ5rhU5Rfu
 q84Q==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; t=1673979932;
 s=strato-dkim-0002; d=strato.com;
 h=Message-ID:Date:Subject:To:From:Cc:Date:From:Subject:Sender;
 bh=0mbvKlu0hhPlYuhfrR+wbUwMEMNBGEEWcrZSOczG3uQ=;
 b=grBlD6S/O+cQiVrgaGmNI2UYu2rSGn6FANcVNhNfsu6jRsTa8JVDHmfvp0QrDR+Zrp
 uKV5ZA19cj9zEwx4a9KwnQh3ql+O7+dr9l3ZOlV7x/QHw3G8COBe7QQc96cZ0BaxVipt
 r8wXxNB4C8CVcbxYZo2dknGYbk6uoEO4/TStOxvuT29+6WtqCrCDkzJVkYuoayhIVZKz
 zw7jNfYQmn3RIuOnXGNnrHI+BhMa8L4muA1HmUWc4kuQEcfQtWWf1EZ2JfJl9MBUINLg
 BmhISjlvdtF3rQusfpopoWj00xUjl0IB4N57z2WkrgAHiaO0sU9Ox0mZ3lELvSvW1OvI
 3q8Q==
ARC-Authentication-Results: i=1; strato.com;
    arc=none;
    dkim=none
X-RZG-CLASS-ID: mo00
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; t=1673979932;
 s=strato-dkim-0002; d=clisp.org;
 h=Message-ID:Date:Subject:To:From:Cc:Date:From:Subject:Sender;
 bh=0mbvKlu0hhPlYuhfrR+wbUwMEMNBGEEWcrZSOczG3uQ=;
 b=cA6RJkKffrY/aY+zaUMOH6EpanaVFJjX4wVySh32dj2fGKF8YMtRY8vr7FFRINV29L
 NKatOegXPM5nxQVCsouSdF7/nvcHD4bckYNEVTBCraY2YKNtJ7WfsslwvqNI09LqxGax
 Y47G5yd+JRQao3vtHJhZVNaD+bhZFcgqZk17JPQ2eDDFLrPvvWv7HqjMf44otBn9V4Zs
 idvyShT7wE7u9DgQS695vCEvJn6AWXPwOKImG9PEcQJpIogXClnqHF1eywfEd+DEOuTp
 q0pm4DgXXFpYuxvWbSUVwgSg2MREgh8fCgs45pRQdK10qxUUKBAmIpHcTTkfQ9uRU2f6
 gRwQ==
X-RZG-AUTH: ":Ln4Re0+Ic/6oZXR1YgKryK8brlshOcZlIWs+iCP5vnk6shH0WWb0LN8XZoH94zq68+3cfpOU36ZlyvfpaYudzZv7Hx1QQv/ySQ=="
Received: from nimes.localnet by smtp.strato.de (RZmta 48.6.2 AUTH)
 with ESMTPSA id I8f358z0HIPWV1L
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256 bits))
 (Client did not present a certificate);
 Tue, 17 Jan 2023 19:25:32 +0100 (CET)
From: Bruno Haible <bruno@clisp.org>
To: bug-gnulib@gnu.org
Subject: fflush: Fix a buffer overrun on 32-bit Android
Date: Tue, 17 Jan 2023 19:25:32 +0100
Message-ID: <418787974.GmtPNfQ8b2@nimes>
MIME-Version: 1.0
Content-Transfer-Encoding: 7Bit
Content-Type: text/plain; charset="us-ascii"
Received-SPF: none client-ip=85.215.255.25; envelope-from=bruno@clisp.org;
 helo=mo4-p00-ob.smtp.rzone.de
X-Spam_score_int: -20
X-Spam_score: -2.1
X-Spam_bar: --
X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1,
 RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_PASS=-0.001,
 SPF_NONE=0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: bug-gnulib@gnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Gnulib discussion list <bug-gnulib.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/bug-gnulib>,
 <mailto:bug-gnulib-request@gnu.org?subject=unsubscribe>
List-Archive: <https://lists.gnu.org/archive/html/bug-gnulib>
List-Post: <mailto:bug-gnulib@gnu.org>
List-Help: <mailto:bug-gnulib-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/bug-gnulib>,
 <mailto:bug-gnulib-request@gnu.org?subject=subscribe>
Errors-To: bug-gnulib-bounces+normalperson=yhbt.net@gnu.org
Sender: bug-gnulib-bounces+normalperson=yhbt.net@gnu.org

On Android, I see a test failure:

FAIL: test-yesno.sh
===================

test-yesno: write error: Bad address
test-yesno: write error: Bad address
xout.tmp out.tmp differ: char 1, line 1
test-yesno: write error: Bad address
test-yesno: write error: Bad address
xout.tmp out.tmp differ: char 1, line 1
test-yesno: write error: Bad address
cmp: EOF on out.tmp which is empty
FAIL test-yesno.sh (exit status: 1)

The cause is that
  - This test uses atexit (close_stdin);
  - close_stdin calls fflush (stdin). This uses the Gnulib replacement for
    fflush. In function update_fpos_cache it overwrites a word of memory
    past *stdin. Namely the first word of *stdout.
  - Then, close_stdin calls close_stdout, which calls close_stream (stdout),
    which calls __fpending (stdout). Since *stdout is not in a valid state,
    __fpending (stdout) returns a huge value, rather than 0.
  - close_stream then goes along a wrong control path.

This patch fixes it.


2023-01-17  Bruno Haible  <bruno@clisp.org>

	fflush: Fix a buffer overrun on 32-bit Android.
	* lib/stdio-impl.h (fp_): On Android, change the type of _offset to
	'long'.
	* lib/fflush.c (update_fpos_cache): On Android, update a 'long', not an
	'fpos_t'.

diff --git a/lib/fflush.c b/lib/fflush.c
index d38f5f00a3..f3689b3e81 100644
--- a/lib/fflush.c
+++ b/lib/fflush.c
@@ -99,7 +99,7 @@ update_fpos_cache (_GL_ATTRIBUTE_MAYBE_UNUSED FILE *fp,
 {
 #  if defined __sferror || defined __DragonFly__ || defined __ANDROID__
   /* FreeBSD, NetBSD, OpenBSD, DragonFly, Mac OS X, Cygwin, Minix 3, Android */
-#   if defined __CYGWIN__
+#   if defined __CYGWIN__ || defined __ANDROID__
   /* fp_->_offset is typed as an integer.  */
   fp_->_offset = pos;
 #   else
diff --git a/lib/stdio-impl.h b/lib/stdio-impl.h
index 81e7f83837..89056b0de5 100644
--- a/lib/stdio-impl.h
+++ b/lib/stdio-impl.h
@@ -96,7 +96,7 @@
                          unsigned char _nbuf[1]; \
                          struct { unsigned char *_base; size_t _size; } _lb; \
                          int _blksize; \
-                         fpos_t _offset; \
+                         long _offset; \
                          /* More fields, not relevant here.  */ \
                        } *) fp)
 # else