Red Hat Bugzilla – Bug 88409
strxfrm() overruns buffer by indexing with uninitialized value
Last modified: 2016-11-24 09:57:21 EST
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.0.0) Gecko/20020529
Description of problem:
strxfrm() indexes a dynamically-allocated array with an uninitialized value,
which can cause an overrun.
The bad reference happens at
-----strxfrm.c line 276
rule = rulesets[rulearr[idxcnt + 1] * nrules + pass];
when idxcnt==(idxmax - 1) and the input string has multibyte characters for
which the number of characters is less than the number of bytes; for instance,
ja_JP.EUC-JP:3:1:3:S in the testcase localedata/strxfrm.
Note that idxmax is the number of characters in the input string, as counted by
the do...while loop at lines 201-209. There is a preceding statement
-----strxfrm.c line 201
rulearr[srclen] = '\0';
which works only some of the time. Instead, this statement should follow the loop:
rulearr[idxmax] = '\0';
Therefore at line 276, the value rulearr[idxcnt + 1] is uninitialized, so it
could be upto 0xff. Then indexing the outer array "rulesets[ UV * nrules +
pass]" can exceed the bounds of rulesets.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1.Run testcase localedata/tst_strxfrm and pay attention to the test of
Actual Results: Access to uninitialized rulearr[idxcnt + 1], and using that
value as part of an index to dynamic array rulesets.
Expected Results: No use of unitialized value from rulearr.
Created attachment 91052 [details]
initializes boundary element using idxmax count instead of srclen.
An appropriate patch has been checked into the official glibc CVS archive and
will show up in the next glibc RPM.
Should be fixed in RHL9 errata. Test version at