From Bugzilla Helper: User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.0.0) Gecko/20020529 Description of problem: The output from generating locale ja_JP.EUC-JP contains two undefined bytes because they were written from beyond the end of a malloc()ed block. -----locale/programs/ld-time.c:700 l = (strchr (time->era_entries[num].format, '\0') - time->era_entries[num].name) + 1; l = (l + 3) & ~3; iov[2 + cnt].iov_base = (void *) time->era_entries[num].name; iov[2 + cnt].iov_len = l; ----- Here cnt=167 and the first assignment gives l=13. The iov_base is 18 bytes into a block of length 32, and (iov_len + iov_base) is 2 bytes beyond the end of the block. The actual overrun occurs later during the writev: ----- Reading overflows memory. bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb | 32 | 2 | rrrrr Reading (r) : 0x09330e40 thru 0x09330e41 (2 bytes) From block (b) : 0x09330e20 thru 0x09330e3f (32 bytes) block allocated at xmalloc.c, 82 xmalloc() programs/xmalloc.c, 82 time_finish() programs/ld-time.c, 239 check_all_categories() programs/locfile.c, 298 main() programs/localedef.c, 279 Stack trace where the error occurred: 0xffffe002() __writev() ../sysdeps/unix/sysv/linux/writev.c, 47 write_locale_data() programs/locfile.c, 646 time_output() programs/ld-time.c, 909 write_all_categories() programs/locfile.c, 331 main() programs/localedef.c, 289 ----- Version-Release number of selected component (if applicable): 2.3.2-27.9 How reproducible: Always Steps to Reproduce: 1.Generate locale ja_JP.EUC-JP, by making the 'tests' target in directory localedata. 2. 3. Actual Results: The third call to writev() has 410 elements, element 169 is 16 bytes beginning at offset +18 in a block of 32 bytes returned by xmalloc(), and therefore overruns the block by two bytes. Expected Results: No block overrun. Additional info:
I've added a patch to the official glibc CVS archive.
Should be fixed in RHL9 errata. Test version at ftp://people.redhat.com/jakub/glibc/errata/2.3.2-27.9.4/