Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.

Bug 88409

Summary: strxfrm() overruns buffer by indexing with uninitialized value
Product: [Retired] Red Hat Linux Reporter: John Reiser <jreiser>
Component: glibcAssignee: Jakub Jelinek <jakub>
Status: CLOSED UPSTREAM QA Contact: Brian Brock <bbrock>
Severity: medium Docs Contact:
Priority: medium    
Version: 9CC: fweimer
Target Milestone: ---   
Target Release: ---   
Hardware: i386   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2003-04-14 23:17:01 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Attachments:
Description Flags
proposed patch none

Description John Reiser 2003-04-09 22:01:55 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.0.0) Gecko/20020529

Description of problem:
strxfrm() indexes a dynamically-allocated array with an uninitialized value,
which can cause an overrun.

The bad reference happens at
-----strxfrm.c line 276
               rule = rulesets[rulearr[idxcnt + 1] * nrules + pass];
-----
when idxcnt==(idxmax - 1) and the input string has multibyte characters for
which the number of characters is less than the number of bytes; for instance,
ja_JP.EUC-JP:3:1:3:S in the testcase localedata/strxfrm.

Note that idxmax is the number of characters in the input string, as counted by
the do...while loop at lines 201-209.  There is a preceding statement
-----strxfrm.c line 201
  rulearr[srclen] = '\0';
-----
which works only some of the time.  Instead, this statement should follow the loop:
  rulearr[idxmax] = '\0';

Therefore at line 276, the value rulearr[idxcnt + 1] is uninitialized, so it
could be upto 0xff.  Then indexing the outer array  "rulesets[ UV * nrules +
pass]" can exceed the bounds of rulesets.




Version-Release number of selected component (if applicable):
glibc-2.3.2-11.9

How reproducible:
Always

Steps to Reproduce:
1.Run testcase localedata/tst_strxfrm and pay attention to the test of
ja_JP.EUC-JP:3:1:3:S .
2.
3.
    

Actual Results:  Access to uninitialized rulearr[idxcnt + 1], and using that
value as part of an index to dynamic array rulesets.

Expected Results:  No use of unitialized value from rulearr[].

Additional info:

Comment 1 John Reiser 2003-04-09 22:03:50 UTC
Created attachment 91052 [details]
proposed patch

initializes boundary element using idxmax count instead of srclen.

Comment 2 Ulrich Drepper 2003-04-14 23:17:01 UTC
An appropriate patch has been checked into the official glibc CVS archive and
will show up in the next glibc RPM.

Comment 3 Ulrich Drepper 2003-11-04 21:34:50 UTC
Should be fixed in RHL9 errata.  Test version at

  ftp://people.redhat.com/jakub/glibc/errata/2.3.2-27.9.4/