From 25f0a504e2e2ff9d0981c632407d28559426b383 Mon Sep 17 00:00:00 2001
From: Rocket Ma <marocketbd@gmail.com>
Date: Fri, 1 May 2026 20:39:07 -0700
Subject: [PATCH] libio: Fix ungetwc operating on byte stream [BZ #33998]

* libio/wgenops.c: When _IO_wdefault_pbackfail attempts to push back one
character, it accidently compare the wchar to push back with the last
char from byte stream, instead of wide stream. Under specific coding,
attacker may exploit this to leak information. This commit fix bug
33998, or CVE-2026-5928.

Signed-off-by: Rocket Ma <marocketbd@gmail.com>
Reviewed-by: Carlos O'Donell <carlos@redhat.com>
---
 libio/wgenops.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/libio/wgenops.c b/libio/wgenops.c
index 69f3b95896..f12fafcb9f 100644
--- a/libio/wgenops.c
+++ b/libio/wgenops.c
@@ -129,8 +129,8 @@ _IO_wdefault_pbackfail (fp, c)
 {
   if (fp->_wide_data->_IO_read_ptr > fp->_wide_data->_IO_read_base
       && !_IO_in_backup (fp)
-      && (wint_t) fp->_IO_read_ptr[-1] == c)
-    --fp->_IO_read_ptr;
+      && (wint_t) fp->_wide_data->_IO_read_ptr[-1] == c)
+    --fp->_wide_data->_IO_read_ptr;
   else
     {
       /* Need to handle a filebuf in write mode (switch to read mode). FIXME!*/
-- 
2.54.0