From mboxrd@z Thu Jan  1 00:00:00 1970
X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on inbox.vuxu.org
X-Spam-Level: 
X-Spam-Status: No, score=-3.1 required=5.0 tests=DKIM_INVALID,DKIM_SIGNED,
	MAILING_LIST_MULTI,RCVD_IN_DNSWL_MED,RCVD_IN_MSPIKE_H3,
	RCVD_IN_MSPIKE_WL autolearn=ham autolearn_force=no version=3.4.4
Received: (qmail 5327 invoked from network); 10 Jul 2021 14:07:09 -0000
Received: from mother.openwall.net (195.42.179.200)
  by inbox.vuxu.org with ESMTPUTF8; 10 Jul 2021 14:07:09 -0000
Received: (qmail 32306 invoked by uid 550); 10 Jul 2021 14:07:05 -0000
Mailing-List: contact musl-help@lists.openwall.com; run by ezmlm
Precedence: bulk
List-Post: <mailto:musl@lists.openwall.com>
List-Help: <mailto:musl-help@lists.openwall.com>
List-Unsubscribe: <mailto:musl-unsubscribe@lists.openwall.com>
List-Subscribe: <mailto:musl-subscribe@lists.openwall.com>
List-ID: <musl.lists.openwall.com>
Reply-To: musl@lists.openwall.com
Received: (qmail 11577 invoked from network); 10 Jul 2021 13:10:38 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=insomnia247.nl;
	s=mail; t=1625922626;
	bh=UCnyETEK3VEFCQdss/kxjQA2MkkaznOhra55hWDNSLY=;
	h=To:Subject:Cc:Date:From:From;
	b=WCzObnrQra6BV4cQV3TWhu9RSNyXSo+/cp75rfAQIQIfKFGsta8YxHI46+/mBBxpe
	 ZHL9gPyviGuQG+TZroFyMAtFp9IfCgNp5ZFIqI8cPmL7Ax1zeQgC2hNne6ua4F6gyr
	 GnPLHHbXxVZfKLLlbgpun5PXNCqOB232O5cdfrhU=
To: musl@lists.openwall.com
Cc: jason@insomnia247.nl
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 8bit
Message-Id: <20210710131026.AE6BD22201B9@gateway02.insomnia247.nl>
Date: Sat, 10 Jul 2021 15:10:26 +0200 (CEST)
From: jason <jason@insomnia247.nl>
Subject: [musl] Bug in src/stdio/fread.c

If you look at the code:

size_t fread(void *restrict destv, size_t size, size_t nmemb, FILE *restrict f)
{
	unsigned char *dest = destv;
	size_t len = size*nmemb, l = len, k;
	if (!size) nmemb = 0;

	FLOCK(f);

	f->mode |= f->mode-1;

	if (f->rpos != f->rend) {
		/* First exhaust the buffer. */
		k = MIN(f->rend - f->rpos, l);
		memcpy(dest, f->rpos, k);
		f->rpos += k;
		dest += k;
		l -= k;
	}
	
	/* Read the remainder directly */
	for (; l; l-=k, dest+=k) {
		k = __toread(f) ? 0 : f->read(f, dest, l);
		if (!k) {
			FUNLOCK(f);
			return (len-l)/size;
		}
	}

	FUNLOCK(f);
	return nmemb;
}

Consider what happens when f->rpos == f->rend: k is used uninitialized.

My suggested fix is:
-	if (f->rpos != f->rend) {
+	k = f->rend - f->rpos;
+	if (!k) {
 		/* First exhaust the buffer. */
-		k = MIN(f->rend - f->rpos, l);
+		k = MIN(k, l);