Bug 88409
| Summary: | strxfrm() overruns buffer by indexing with uninitialized value | ||||||
|---|---|---|---|---|---|---|---|
| Product: | [Retired] Red Hat Linux | Reporter: | John Reiser <jreiser> | ||||
| Component: | glibc | Assignee: | Jakub Jelinek <jakub> | ||||
| Status: | CLOSED UPSTREAM | QA Contact: | Brian Brock <bbrock> | ||||
| Severity: | medium | Docs Contact: | |||||
| Priority: | medium | ||||||
| Version: | 9 | CC: | fweimer | ||||
| Target Milestone: | --- | ||||||
| Target Release: | --- | ||||||
| Hardware: | i386 | ||||||
| OS: | Linux | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2003-04-14 23:17:01 UTC | Type: | --- | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Attachments: |
|
||||||
Created attachment 91052 [details]
proposed patch
initializes boundary element using idxmax count instead of srclen.
An appropriate patch has been checked into the official glibc CVS archive and will show up in the next glibc RPM. Should be fixed in RHL9 errata. Test version at ftp://people.redhat.com/jakub/glibc/errata/2.3.2-27.9.4/ |
From Bugzilla Helper: User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.0.0) Gecko/20020529 Description of problem: strxfrm() indexes a dynamically-allocated array with an uninitialized value, which can cause an overrun. The bad reference happens at -----strxfrm.c line 276 rule = rulesets[rulearr[idxcnt + 1] * nrules + pass]; ----- when idxcnt==(idxmax - 1) and the input string has multibyte characters for which the number of characters is less than the number of bytes; for instance, ja_JP.EUC-JP:3:1:3:S in the testcase localedata/strxfrm. Note that idxmax is the number of characters in the input string, as counted by the do...while loop at lines 201-209. There is a preceding statement -----strxfrm.c line 201 rulearr[srclen] = '\0'; ----- which works only some of the time. Instead, this statement should follow the loop: rulearr[idxmax] = '\0'; Therefore at line 276, the value rulearr[idxcnt + 1] is uninitialized, so it could be upto 0xff. Then indexing the outer array "rulesets[ UV * nrules + pass]" can exceed the bounds of rulesets. Version-Release number of selected component (if applicable): glibc-2.3.2-11.9 How reproducible: Always Steps to Reproduce: 1.Run testcase localedata/tst_strxfrm and pay attention to the test of ja_JP.EUC-JP:3:1:3:S . 2. 3. Actual Results: Access to uninitialized rulearr[idxcnt + 1], and using that value as part of an index to dynamic array rulesets. Expected Results: No use of unitialized value from rulearr[]. Additional info: