From Bugzilla Helper: User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.0.0) Gecko/20020529 Description of problem: strxfrm() indexes a dynamically-allocated array with an uninitialized value, which can cause an overrun. The bad reference happens at -----strxfrm.c line 276 rule = rulesets[rulearr[idxcnt + 1] * nrules + pass]; ----- when idxcnt==(idxmax - 1) and the input string has multibyte characters for which the number of characters is less than the number of bytes; for instance, ja_JP.EUC-JP:3:1:3:S in the testcase localedata/strxfrm. Note that idxmax is the number of characters in the input string, as counted by the do...while loop at lines 201-209. There is a preceding statement -----strxfrm.c line 201 rulearr[srclen] = '\0'; ----- which works only some of the time. Instead, this statement should follow the loop: rulearr[idxmax] = '\0'; Therefore at line 276, the value rulearr[idxcnt + 1] is uninitialized, so it could be upto 0xff. Then indexing the outer array "rulesets[ UV * nrules + pass]" can exceed the bounds of rulesets. Version-Release number of selected component (if applicable): glibc-2.3.2-11.9 How reproducible: Always Steps to Reproduce: 1.Run testcase localedata/tst_strxfrm and pay attention to the test of ja_JP.EUC-JP:3:1:3:S . 2. 3. Actual Results: Access to uninitialized rulearr[idxcnt + 1], and using that value as part of an index to dynamic array rulesets. Expected Results: No use of unitialized value from rulearr[]. Additional info:
Created attachment 91052 [details] proposed patch initializes boundary element using idxmax count instead of srclen.
An appropriate patch has been checked into the official glibc CVS archive and will show up in the next glibc RPM.
Should be fixed in RHL9 errata. Test version at ftp://people.redhat.com/jakub/glibc/errata/2.3.2-27.9.4/