Bug 88099

Summary: buffer underrun in read_input_file/gencat.c
Product: [Retired] Red Hat Linux Reporter: John Reiser <jreiser>
Component: glibcAssignee: Jakub Jelinek <jakub>
Status: CLOSED ERRATA QA Contact: Brian Brock <bbrock>
Severity: medium Docs Contact:
Priority: medium    
Version: 9CC: fweimer
Target Milestone: ---   
Target Release: ---   
Hardware: i386   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2003-04-09 19:21:39 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description John Reiser 2003-04-05 17:44:24 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.0.0) Gecko/20020529

Description of problem:
gencat -H references memory just below a malloc()ed block.  act_len can get
decremented to zero, not tested, yet used to index buf[act_len -1].

Version-Release number of selected component (if applicable):
glibc-2.3.2-11.9

How reproducible:
Always

Steps to Reproduce:
1.Run catgets testcase:  gencat -H test-gencat.h < sample.SJIS
with a breakpoint at gencat.c:336:
-----
          if (buf[act_len - 1] == '\n')
            {
              --act_len;

              /* There might be more than one backslash at the end of
                 the line.  Only if there is an odd number of them is
                 the line continued.  */
              if (buf[act_len - 1] == '\\')   ### act_len can be 0
-----

2. Observe the case when 0==act_len and a reference is made to buf[act_len -1].
3.
    

Actual Results:  'buf' is referenced at index -1, which is outside the bounds of
a malloc()ed block.

Expected Results:  No reference outside the bounds of a malloc()ed block.

Additional info:

Comment 1 Jakub Jelinek 2003-04-09 19:21:39 UTC
An errata has been issued which should help the problem described in this bug report. 
This report is therefore being closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files, please follow the link below. You may reopen 
this bug report if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2003-136.html