First Last Prev Next    This bug is not in your last search results.
Bug 88978 - locale ja_JP.EUC-JP has two undefined bytes [buffer overrun]
locale ja_JP.EUC-JP has two undefined bytes [buffer overrun]
Status: CLOSED UPSTREAM
Product: Red Hat Linux
Classification: Retired
Component: glibc (Show other bugs)
9
i686 Linux
medium Severity medium
: ---
: ---
Assigned To: Jakub Jelinek
Brian Brock
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2003-04-15 18:12 EDT by John Reiser
Modified: 2016-11-24 09:54 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2003-04-16 22:55:46 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2003:325 normal SHIPPED_LIVE : Updated glibc packages provide security and bug fixes 2003-11-12 00:00:00 EST

  None (edit)
Description John Reiser 2003-04-15 18:12:14 EDT 
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.0.0) Gecko/20020529

Description of problem:
The output from generating locale ja_JP.EUC-JP contains two undefined bytes
because they were written from beyond the end of a malloc()ed block.

-----locale/programs/ld-time.c:700
      l = (strchr (time->era_entries[num].format, '\0')
           - time->era_entries[num].name) + 1;
      l = (l + 3) & ~3;
      iov[2 + cnt].iov_base = (void *) time->era_entries[num].name;
      iov[2 + cnt].iov_len = l;
-----
Here cnt=167 and the first assignment gives l=13.  The iov_base is 18 bytes into
a block of length 32, and (iov_len + iov_base) is 2 bytes beyond the end of the
block.  The actual overrun occurs later during the writev:
-----
  Reading overflows memory.

          bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb
          |                32                 | 2 |
                                              rrrrr

   Reading    (r) : 0x09330e40 thru 0x09330e41 (2 bytes)
   From block (b) : 0x09330e20 thru 0x09330e3f (32 bytes)
                   block allocated at xmalloc.c, 82
                         xmalloc()  programs/xmalloc.c, 82
                     time_finish()  programs/ld-time.c, 239
            check_all_categories()  programs/locfile.c, 298
                            main()  programs/localedef.c, 279

  Stack trace where the error occurred:
                      0xffffe002()
                        __writev()  ../sysdeps/unix/sysv/linux/writev.c, 47
               write_locale_data()  programs/locfile.c, 646
                     time_output()  programs/ld-time.c, 909
            write_all_categories()  programs/locfile.c, 331
                            main()  programs/localedef.c, 289
-----


Version-Release number of selected component (if applicable):
2.3.2-27.9

How reproducible:
Always

Steps to Reproduce:
1.Generate locale ja_JP.EUC-JP, by making the 'tests' target in directory
localedata.
2.
3.
    

Actual Results:  The third call to writev() has 410 elements, element 169 is 16
bytes beginning at offset +18 in a block of 32 bytes returned by xmalloc(), and
therefore overruns the block by two bytes.

Expected Results:  No block overrun.


Additional info:
Comment 1 Ulrich Drepper 2003-04-16 22:55:46 EDT 
I've added a patch to the official glibc CVS archive.
Comment 2 Ulrich Drepper 2003-11-04 16:35:28 EST 
Should be fixed in RHL9 errata.  Test version at

  ftp://people.redhat.com/jakub/glibc/errata/2.3.2-27.9.4/
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.