Bug 88099 - buffer underrun in read_input_file/gencat.c
Summary: buffer underrun in read_input_file/gencat.c
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Linux
Classification: Retired
Component: glibc
Version: 9
Hardware: i386
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Jakub Jelinek
QA Contact: Brian Brock
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2003-04-05 17:44 UTC by John Reiser
Modified: 2016-11-24 15:02 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2003-04-09 19:21:39 UTC


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2003:136 0 high SHIPPED_LIVE glibc bugfix errata 2003-04-09 04:00:00 UTC
Red Hat Product Errata RHSA-2003:089 0 high SHIPPED_LIVE : Updated glibc packages fix vulnerabilities in RPC XDR decoder 2003-04-10 04:00:00 UTC

Description John Reiser 2003-04-05 17:44:24 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.0.0) Gecko/20020529

Description of problem:
gencat -H references memory just below a malloc()ed block.  act_len can get
decremented to zero, not tested, yet used to index buf[act_len -1].

Version-Release number of selected component (if applicable):
glibc-2.3.2-11.9

How reproducible:
Always

Steps to Reproduce:
1.Run catgets testcase:  gencat -H test-gencat.h < sample.SJIS
with a breakpoint at gencat.c:336:
-----
          if (buf[act_len - 1] == '\n')
            {
              --act_len;

              /* There might be more than one backslash at the end of
                 the line.  Only if there is an odd number of them is
                 the line continued.  */
              if (buf[act_len - 1] == '\\')   ### act_len can be 0
-----

2. Observe the case when 0==act_len and a reference is made to buf[act_len -1].
3.
    

Actual Results:  'buf' is referenced at index -1, which is outside the bounds of
a malloc()ed block.

Expected Results:  No reference outside the bounds of a malloc()ed block.

Additional info:

Comment 1 Jakub Jelinek 2003-04-09 19:21:39 UTC
An errata has been issued which should help the problem described in this bug report. 
This report is therefore being closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files, please follow the link below. You may reopen 
this bug report if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2003-136.html



Note You need to log in before you can comment on or make changes to this bug.