Bug 88409 - strxfrm() overruns buffer by indexing with uninitialized value
Summary: strxfrm() overruns buffer by indexing with uninitialized value
Keywords:
Status: CLOSED UPSTREAM
Alias: None
Product: Red Hat Linux
Classification: Retired
Component: glibc
Version: 9
Hardware: i386
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Jakub Jelinek
QA Contact: Brian Brock
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2003-04-09 22:01 UTC by John Reiser
Modified: 2016-11-24 14:57 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2003-04-14 23:17:01 UTC
Embargoed:


Attachments (Terms of Use)
proposed patch (878 bytes, patch)
2003-04-09 22:03 UTC, John Reiser
no flags Details | Diff


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2003:325 0 normal SHIPPED_LIVE : Updated glibc packages provide security and bug fixes 2003-11-12 05:00:00 UTC

Description John Reiser 2003-04-09 22:01:55 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.0.0) Gecko/20020529

Description of problem:
strxfrm() indexes a dynamically-allocated array with an uninitialized value,
which can cause an overrun.

The bad reference happens at
-----strxfrm.c line 276
               rule = rulesets[rulearr[idxcnt + 1] * nrules + pass];
-----
when idxcnt==(idxmax - 1) and the input string has multibyte characters for
which the number of characters is less than the number of bytes; for instance,
ja_JP.EUC-JP:3:1:3:S in the testcase localedata/strxfrm.

Note that idxmax is the number of characters in the input string, as counted by
the do...while loop at lines 201-209.  There is a preceding statement
-----strxfrm.c line 201
  rulearr[srclen] = '\0';
-----
which works only some of the time.  Instead, this statement should follow the loop:
  rulearr[idxmax] = '\0';

Therefore at line 276, the value rulearr[idxcnt + 1] is uninitialized, so it
could be upto 0xff.  Then indexing the outer array  "rulesets[ UV * nrules +
pass]" can exceed the bounds of rulesets.




Version-Release number of selected component (if applicable):
glibc-2.3.2-11.9

How reproducible:
Always

Steps to Reproduce:
1.Run testcase localedata/tst_strxfrm and pay attention to the test of
ja_JP.EUC-JP:3:1:3:S .
2.
3.
    

Actual Results:  Access to uninitialized rulearr[idxcnt + 1], and using that
value as part of an index to dynamic array rulesets.

Expected Results:  No use of unitialized value from rulearr[].

Additional info:

Comment 1 John Reiser 2003-04-09 22:03:50 UTC
Created attachment 91052 [details]
proposed patch

initializes boundary element using idxmax count instead of srclen.

Comment 2 Ulrich Drepper 2003-04-14 23:17:01 UTC
An appropriate patch has been checked into the official glibc CVS archive and
will show up in the next glibc RPM.

Comment 3 Ulrich Drepper 2003-11-04 21:34:50 UTC
Should be fixed in RHL9 errata.  Test version at

  ftp://people.redhat.com/jakub/glibc/errata/2.3.2-27.9.4/           
                                                                    



Note You need to log in before you can comment on or make changes to this bug.