Bug 88978 - locale ja_JP.EUC-JP has two undefined bytes [buffer overrun]
Summary: locale ja_JP.EUC-JP has two undefined bytes [buffer overrun]
Keywords:
Status: CLOSED UPSTREAM
Alias: None
Product: Red Hat Linux
Classification: Retired
Component: glibc
Version: 9
Hardware: i686
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Jakub Jelinek
QA Contact: Brian Brock
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2003-04-15 22:12 UTC by John Reiser
Modified: 2016-11-24 14:54 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2003-04-17 02:55:46 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2003:325 normal SHIPPED_LIVE : Updated glibc packages provide security and bug fixes 2003-11-12 05:00:00 UTC

Description John Reiser 2003-04-15 22:12:14 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.0.0) Gecko/20020529

Description of problem:
The output from generating locale ja_JP.EUC-JP contains two undefined bytes
because they were written from beyond the end of a malloc()ed block.

-----locale/programs/ld-time.c:700
      l = (strchr (time->era_entries[num].format, '\0')
           - time->era_entries[num].name) + 1;
      l = (l + 3) & ~3;
      iov[2 + cnt].iov_base = (void *) time->era_entries[num].name;
      iov[2 + cnt].iov_len = l;
-----
Here cnt=167 and the first assignment gives l=13.  The iov_base is 18 bytes into
a block of length 32, and (iov_len + iov_base) is 2 bytes beyond the end of the
block.  The actual overrun occurs later during the writev:
-----
  Reading overflows memory.

          bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb
          |                32                 | 2 |
                                              rrrrr

   Reading    (r) : 0x09330e40 thru 0x09330e41 (2 bytes)
   From block (b) : 0x09330e20 thru 0x09330e3f (32 bytes)
                   block allocated at xmalloc.c, 82
                         xmalloc()  programs/xmalloc.c, 82
                     time_finish()  programs/ld-time.c, 239
            check_all_categories()  programs/locfile.c, 298
                            main()  programs/localedef.c, 279

  Stack trace where the error occurred:
                      0xffffe002()
                        __writev()  ../sysdeps/unix/sysv/linux/writev.c, 47
               write_locale_data()  programs/locfile.c, 646
                     time_output()  programs/ld-time.c, 909
            write_all_categories()  programs/locfile.c, 331
                            main()  programs/localedef.c, 289
-----


Version-Release number of selected component (if applicable):
2.3.2-27.9

How reproducible:
Always

Steps to Reproduce:
1.Generate locale ja_JP.EUC-JP, by making the 'tests' target in directory
localedata.
2.
3.
    

Actual Results:  The third call to writev() has 410 elements, element 169 is 16
bytes beginning at offset +18 in a block of 32 bytes returned by xmalloc(), and
therefore overruns the block by two bytes.

Expected Results:  No block overrun.


Additional info:

Comment 1 Ulrich Drepper 2003-04-17 02:55:46 UTC
I've added a patch to the official glibc CVS archive.

Comment 2 Ulrich Drepper 2003-11-04 21:35:28 UTC
Should be fixed in RHL9 errata.  Test version at

  ftp://people.redhat.com/jakub/glibc/errata/2.3.2-27.9.4/           
                                                                    



Note You need to log in before you can comment on or make changes to this bug.