Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 88409 - strxfrm() overruns buffer by indexing with uninitialized value
Summary: strxfrm() overruns buffer by indexing with uninitialized value
Keywords:
Status: CLOSED UPSTREAM
Alias: None
Product: Red Hat Linux
Classification: Retired
Component: glibc
Version: 9
Hardware: i386
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Jakub Jelinek
QA Contact: Brian Brock
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2003-04-09 22:01 UTC by John Reiser
Modified: 2016-11-24 14:57 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2003-04-14 23:17:01 UTC


Attachments (Terms of Use)
proposed patch (deleted)
2003-04-09 22:03 UTC, John Reiser
no flags Details | Diff


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2003:325 normal SHIPPED_LIVE : Updated glibc packages provide security and bug fixes 2003-11-12 05:00:00 UTC

Description John Reiser 2003-04-09 22:01:55 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.0.0) Gecko/20020529

Description of problem:
strxfrm() indexes a dynamically-allocated array with an uninitialized value,
which can cause an overrun.

The bad reference happens at
-----strxfrm.c line 276
               rule = rulesets[rulearr[idxcnt + 1] * nrules + pass];
-----
when idxcnt==(idxmax - 1) and the input string has multibyte characters for
which the number of characters is less than the number of bytes; for instance,
ja_JP.EUC-JP:3:1:3:S in the testcase localedata/strxfrm.

Note that idxmax is the number of characters in the input string, as counted by
the do...while loop at lines 201-209.  There is a preceding statement
-----strxfrm.c line 201
  rulearr[srclen] = '\0';
-----
which works only some of the time.  Instead, this statement should follow the loop:
  rulearr[idxmax] = '\0';

Therefore at line 276, the value rulearr[idxcnt + 1] is uninitialized, so it
could be upto 0xff.  Then indexing the outer array  "rulesets[ UV * nrules +
pass]" can exceed the bounds of rulesets.




Version-Release number of selected component (if applicable):
glibc-2.3.2-11.9

How reproducible:
Always

Steps to Reproduce:
1.Run testcase localedata/tst_strxfrm and pay attention to the test of
ja_JP.EUC-JP:3:1:3:S .
2.
3.
    

Actual Results:  Access to uninitialized rulearr[idxcnt + 1], and using that
value as part of an index to dynamic array rulesets.

Expected Results:  No use of unitialized value from rulearr[].

Additional info:

Comment 1 John Reiser 2003-04-09 22:03:50 UTC
Created attachment 91052 [details]
proposed patch

initializes boundary element using idxmax count instead of srclen.

Comment 2 Ulrich Drepper 2003-04-14 23:17:01 UTC
An appropriate patch has been checked into the official glibc CVS archive and
will show up in the next glibc RPM.

Comment 3 Ulrich Drepper 2003-11-04 21:34:50 UTC
Should be fixed in RHL9 errata.  Test version at

  ftp://people.redhat.com/jakub/glibc/errata/2.3.2-27.9.4/           
                                                                    



Note You need to log in before you can comment on or make changes to this bug.