Bug 88978 - locale ja_JP.EUC-JP has two undefined bytes [buffer overrun]
Summary: locale ja_JP.EUC-JP has two undefined bytes [buffer overrun]
Alias: None
Product: Red Hat Linux
Classification: Retired
Component: glibc   
(Show other bugs)
Version: 9
Hardware: i686 Linux
Target Milestone: ---
Assignee: Jakub Jelinek
QA Contact: Brian Brock
Depends On:
TreeView+ depends on / blocked
Reported: 2003-04-15 22:12 UTC by John Reiser
Modified: 2016-11-24 14:54 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2003-04-17 02:55:46 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2003:325 normal SHIPPED_LIVE : Updated glibc packages provide security and bug fixes 2003-11-12 05:00:00 UTC

Description John Reiser 2003-04-15 22:12:14 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.0.0) Gecko/20020529

Description of problem:
The output from generating locale ja_JP.EUC-JP contains two undefined bytes
because they were written from beyond the end of a malloc()ed block.

      l = (strchr (time->era_entries[num].format, '\0')
           - time->era_entries[num].name) + 1;
      l = (l + 3) & ~3;
      iov[2 + cnt].iov_base = (void *) time->era_entries[num].name;
      iov[2 + cnt].iov_len = l;
Here cnt=167 and the first assignment gives l=13.  The iov_base is 18 bytes into
a block of length 32, and (iov_len + iov_base) is 2 bytes beyond the end of the
block.  The actual overrun occurs later during the writev:
  Reading overflows memory.

          |                32                 | 2 |

   Reading    (r) : 0x09330e40 thru 0x09330e41 (2 bytes)
   From block (b) : 0x09330e20 thru 0x09330e3f (32 bytes)
                   block allocated at xmalloc.c, 82
                         xmalloc()  programs/xmalloc.c, 82
                     time_finish()  programs/ld-time.c, 239
            check_all_categories()  programs/locfile.c, 298
                            main()  programs/localedef.c, 279

  Stack trace where the error occurred:
                        __writev()  ../sysdeps/unix/sysv/linux/writev.c, 47
               write_locale_data()  programs/locfile.c, 646
                     time_output()  programs/ld-time.c, 909
            write_all_categories()  programs/locfile.c, 331
                            main()  programs/localedef.c, 289

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1.Generate locale ja_JP.EUC-JP, by making the 'tests' target in directory

Actual Results:  The third call to writev() has 410 elements, element 169 is 16
bytes beginning at offset +18 in a block of 32 bytes returned by xmalloc(), and
therefore overruns the block by two bytes.

Expected Results:  No block overrun.

Additional info:

Comment 1 Ulrich Drepper 2003-04-17 02:55:46 UTC
I've added a patch to the official glibc CVS archive.

Comment 2 Ulrich Drepper 2003-11-04 21:35:28 UTC
Should be fixed in RHL9 errata.  Test version at


Note You need to log in before you can comment on or make changes to this bug.