base/SOURCES/glibc-rh1372305.patch

commit 983fd5c41ab7e5a5c33922259ca1ac99b3b413f8
Author: Florian Weimer <fweimer@redhat.com>
Date:   Sat Jun 11 12:07:14 2016 +0200

    fopencookie: Mangle function pointers stored on the heap [BZ #20222]

diff --git a/libio/iofopncook.c b/libio/iofopncook.c
index 5dcbe51f11182b68..b1c0d7f6ccc4db15 100644
--- a/libio/iofopncook.c
+++ b/libio/iofopncook.c
@@ -46,11 +46,13 @@ _IO_cookie_read (fp, buf, size)
      _IO_ssize_t size;
 {
   struct _IO_cookie_file *cfile = (struct _IO_cookie_file *) fp;
+  cookie_read_function_t *read_cb = cfile->__io_functions.read;
+  PTR_DEMANGLE (read_cb);
 
-  if (cfile->__io_functions.read == NULL)
+  if (read_cb == NULL)
     return -1;
 
-  return cfile->__io_functions.read (cfile->__cookie, buf, size);
+  return read_cb (cfile->__cookie, buf, size);
 }
 
 static _IO_ssize_t
@@ -60,14 +62,16 @@ _IO_cookie_write (fp, buf, size)
      _IO_ssize_t size;
 {
   struct _IO_cookie_file *cfile = (struct _IO_cookie_file *) fp;
+  cookie_write_function_t *write_cb = cfile->__io_functions.write;
+  PTR_DEMANGLE (write_cb);
 
-  if (cfile->__io_functions.write == NULL)
+  if (write_cb == NULL)
     {
       fp->_flags |= _IO_ERR_SEEN;
       return 0;
     }
 
-  _IO_ssize_t n = cfile->__io_functions.write (cfile->__cookie, buf, size);
+  _IO_ssize_t n = write_cb (cfile->__cookie, buf, size);
   if (n < size)
     fp->_flags |= _IO_ERR_SEEN;
 
@@ -81,9 +85,11 @@ _IO_cookie_seek (fp, offset, dir)
      int dir;
 {
   struct _IO_cookie_file *cfile = (struct _IO_cookie_file *) fp;
+  cookie_seek_function_t *seek_cb = cfile->__io_functions.seek;
+  PTR_DEMANGLE (seek_cb);
 
-  return ((cfile->__io_functions.seek == NULL
-	   || (cfile->__io_functions.seek (cfile->__cookie, &offset, dir)
+  return ((seek_cb == NULL
+	   || (seek_cb (cfile->__cookie, &offset, dir)
 	       == -1)
 	   || offset == (_IO_off64_t) -1)
 	  ? _IO_pos_BAD : offset);
@@ -94,11 +100,13 @@ _IO_cookie_close (fp)
      _IO_FILE *fp;
 {
   struct _IO_cookie_file *cfile = (struct _IO_cookie_file *) fp;
+  cookie_close_function_t *close_cb = cfile->__io_functions.close;
+  PTR_DEMANGLE (close_cb);
 
-  if (cfile->__io_functions.close == NULL)
+  if (close_cb == NULL)
     return 0;
 
-  return cfile->__io_functions.close (cfile->__cookie);
+  return close_cb (cfile->__cookie);
 }
 
 
@@ -140,6 +148,19 @@ static const struct _IO_jump_t _IO_cookie_jumps libio_vtable = {
 };
 
 
+/* Copy the callbacks from SOURCE to *TARGET, with pointer
+   mangling.  */
+static void
+set_callbacks (_IO_cookie_io_functions_t *target,
+	       _IO_cookie_io_functions_t source)
+{
+  PTR_MANGLE (source.read);
+  PTR_MANGLE (source.write);
+  PTR_MANGLE (source.seek);
+  PTR_MANGLE (source.close);
+  *target = source;
+}
+
 void
 _IO_cookie_init (struct _IO_cookie_file *cfile, int read_write,
 		 void *cookie, _IO_cookie_io_functions_t io_functions)
@@ -148,7 +169,7 @@ _IO_cookie_init (struct _IO_cookie_file *cfile, int read_write,
   _IO_JUMPS (&cfile->__fp) = &_IO_cookie_jumps;
 
   cfile->__cookie = cookie;
-  cfile->__io_functions = io_functions;
+  set_callbacks (&cfile->__io_functions, io_functions);
 
   _IO_new_file_init_internal (&cfile->__fp);
 
@@ -223,14 +244,14 @@ _IO_old_cookie_seek (fp, offset, dir)
      int dir;
 {
   struct _IO_cookie_file *cfile = (struct _IO_cookie_file *) fp;
-  int (*seek) (_IO_FILE *, _IO_off_t, int);
-  int ret;
+  int (*seek_cb) (_IO_FILE *, _IO_off_t, int)
+    = (int (*) (_IO_FILE *, _IO_off_t, int)) cfile->__io_functions.seek;;
+  PTR_DEMANGLE (seek_cb);
 
-  seek = (int (*)(_IO_FILE *, _IO_off_t, int)) cfile->__io_functions.seek;
-  if (seek == NULL)
+  if (seek_cb == NULL)
     return _IO_pos_BAD;
 
-  ret = seek (cfile->__cookie, offset, dir);
+  int ret = seek_cb (cfile->__cookie, offset, dir);
 
   return (ret == -1) ? _IO_pos_BAD : ret;
 }