Bug 88978

Summary: locale ja_JP.EUC-JP has two undefined bytes [buffer overrun]
Product: [Retired] Red Hat Linux Reporter: John Reiser <jreiser>
Component: glibcAssignee: Jakub Jelinek <jakub>
Status: CLOSED UPSTREAM QA Contact: Brian Brock <bbrock>
Severity: medium Docs Contact:
Priority: medium    
Version: 9CC: fweimer
Target Milestone: ---   
Target Release: ---   
Hardware: i686   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2003-04-17 02:55:46 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description John Reiser 2003-04-15 22:12:14 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.0.0) Gecko/20020529

Description of problem:
The output from generating locale ja_JP.EUC-JP contains two undefined bytes
because they were written from beyond the end of a malloc()ed block.

-----locale/programs/ld-time.c:700
      l = (strchr (time->era_entries[num].format, '\0')
           - time->era_entries[num].name) + 1;
      l = (l + 3) & ~3;
      iov[2 + cnt].iov_base = (void *) time->era_entries[num].name;
      iov[2 + cnt].iov_len = l;
-----
Here cnt=167 and the first assignment gives l=13.  The iov_base is 18 bytes into
a block of length 32, and (iov_len + iov_base) is 2 bytes beyond the end of the
block.  The actual overrun occurs later during the writev:
-----
  Reading overflows memory.

          bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb
          |                32                 | 2 |
                                              rrrrr

   Reading    (r) : 0x09330e40 thru 0x09330e41 (2 bytes)
   From block (b) : 0x09330e20 thru 0x09330e3f (32 bytes)
                   block allocated at xmalloc.c, 82
                         xmalloc()  programs/xmalloc.c, 82
                     time_finish()  programs/ld-time.c, 239
            check_all_categories()  programs/locfile.c, 298
                            main()  programs/localedef.c, 279

  Stack trace where the error occurred:
                      0xffffe002()
                        __writev()  ../sysdeps/unix/sysv/linux/writev.c, 47
               write_locale_data()  programs/locfile.c, 646
                     time_output()  programs/ld-time.c, 909
            write_all_categories()  programs/locfile.c, 331
                            main()  programs/localedef.c, 289
-----


Version-Release number of selected component (if applicable):
2.3.2-27.9

How reproducible:
Always

Steps to Reproduce:
1.Generate locale ja_JP.EUC-JP, by making the 'tests' target in directory
localedata.
2.
3.
    

Actual Results:  The third call to writev() has 410 elements, element 169 is 16
bytes beginning at offset +18 in a block of 32 bytes returned by xmalloc(), and
therefore overruns the block by two bytes.

Expected Results:  No block overrun.


Additional info:

Comment 1 Ulrich Drepper 2003-04-17 02:55:46 UTC
I've added a patch to the official glibc CVS archive.

Comment 2 Ulrich Drepper 2003-11-04 21:35:28 UTC
Should be fixed in RHL9 errata.  Test version at

  ftp://people.redhat.com/jakub/glibc/errata/2.3.2-27.9.4/