Bug 88409 - strxfrm() overruns buffer by indexing with uninitialized value
strxfrm() overruns buffer by indexing with uninitialized value
Status: CLOSED UPSTREAM
Product: Red Hat Linux
Classification: Retired
Component: glibc (Show other bugs)
9
i386 Linux
medium Severity medium
: ---
: ---
Assigned To: Jakub Jelinek
Brian Brock
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2003-04-09 18:01 EDT by John Reiser
Modified: 2016-11-24 09:57 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2003-04-14 19:17:01 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
proposed patch (878 bytes, patch)
2003-04-09 18:03 EDT, John Reiser
no flags Details | Diff

  None (edit)
Description John Reiser 2003-04-09 18:01:55 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.0.0) Gecko/20020529

Description of problem:
strxfrm() indexes a dynamically-allocated array with an uninitialized value,
which can cause an overrun.

The bad reference happens at
-----strxfrm.c line 276
               rule = rulesets[rulearr[idxcnt + 1] * nrules + pass];
-----
when idxcnt==(idxmax - 1) and the input string has multibyte characters for
which the number of characters is less than the number of bytes; for instance,
ja_JP.EUC-JP:3:1:3:S in the testcase localedata/strxfrm.

Note that idxmax is the number of characters in the input string, as counted by
the do...while loop at lines 201-209.  There is a preceding statement
-----strxfrm.c line 201
  rulearr[srclen] = '\0';
-----
which works only some of the time.  Instead, this statement should follow the loop:
  rulearr[idxmax] = '\0';

Therefore at line 276, the value rulearr[idxcnt + 1] is uninitialized, so it
could be upto 0xff.  Then indexing the outer array  "rulesets[ UV * nrules +
pass]" can exceed the bounds of rulesets.




Version-Release number of selected component (if applicable):
glibc-2.3.2-11.9

How reproducible:
Always

Steps to Reproduce:
1.Run testcase localedata/tst_strxfrm and pay attention to the test of
ja_JP.EUC-JP:3:1:3:S .
2.
3.
    

Actual Results:  Access to uninitialized rulearr[idxcnt + 1], and using that
value as part of an index to dynamic array rulesets.

Expected Results:  No use of unitialized value from rulearr[].

Additional info:
Comment 1 John Reiser 2003-04-09 18:03:50 EDT
Created attachment 91052 [details]
proposed patch

initializes boundary element using idxmax count instead of srclen.
Comment 2 Ulrich Drepper 2003-04-14 19:17:01 EDT
An appropriate patch has been checked into the official glibc CVS archive and
will show up in the next glibc RPM.
Comment 3 Ulrich Drepper 2003-11-04 16:34:50 EST
Should be fixed in RHL9 errata.  Test version at

  ftp://people.redhat.com/jakub/glibc/errata/2.3.2-27.9.4/           
                                                                    

Note You need to log in before you can comment on or make changes to this bug.