diff options
| author | CoprDistGit <infra@openeuler.org> | 2024-08-03 06:28:41 +0000 |
|---|---|---|
| committer | CoprDistGit <infra@openeuler.org> | 2024-08-03 06:28:41 +0000 |
| commit | d20db0561a6a36f914fde030512503b114ef9a0c (patch) | |
| tree | d4e5e3494d95c269a1cee6195f11bf3201bcadbf /backport-Fix-OOB-read-in-stdlib-thousand-grouping-parsing-BZ.patch | |
| parent | 016343d99b1b269d7246ef1e143d4b54914433d4 (diff) | |
automatic import of glibcopeneuler22.03_LTS_SP4openeuler22.03_LTS_SP3openeuler20.03
Diffstat (limited to 'backport-Fix-OOB-read-in-stdlib-thousand-grouping-parsing-BZ.patch')
| -rw-r--r-- | backport-Fix-OOB-read-in-stdlib-thousand-grouping-parsing-BZ.patch | 62 |
1 files changed, 62 insertions, 0 deletions
diff --git a/backport-Fix-OOB-read-in-stdlib-thousand-grouping-parsing-BZ.patch b/backport-Fix-OOB-read-in-stdlib-thousand-grouping-parsing-BZ.patch new file mode 100644 index 0000000..f8f5c49 --- /dev/null +++ b/backport-Fix-OOB-read-in-stdlib-thousand-grouping-parsing-BZ.patch @@ -0,0 +1,62 @@ +From 17bfe5954baee1f18672aea94caa1126ec36fb81 Mon Sep 17 00:00:00 2001 +From: Szabolcs Nagy <szabolcs.nagy@arm.com> +Date: Tue, 11 Oct 2022 15:24:41 +0100 +Subject: [PATCH] Fix OOB read in stdlib thousand grouping parsing [BZ +#29727] + +__correctly_grouped_prefixmb only worked with thousands_len == 1, +otherwise it read past the end of cp or thousands. + +This affects scanf formats like %'d, %'f and the internal but +exposed __strto{l,ul,f,d,..}_internal with grouping flag set +and an LC_NUMERIC locale where thousands_len > 1. + +Avoid OOB access by considering thousands_len when initializing cp. +This fixes bug 29727. + +Found by the morello port with strict bounds checking where + +FAIL: stdlib/tst-strtod4 +FAIL: stdlib/tst-strtod5i + +crashed using a locale with thousands_len==3. +--- + stdlib/grouping.c | 16 +++++++--------- + 1 file changed, 7 insertions(+), 9 deletions(-) + +diff --git a/stdlib/grouping.c b/stdlib/grouping.c +index d558d930..e2f31b2a 100644 +--- a/stdlib/grouping.c ++++ b/stdlib/grouping.c +@@ -53,21 +53,19 @@ __correctly_grouped_prefixmb (const STRING_TYPE *begin, const STRING_TYPE *end, + #endif + const char *grouping) + { +-#ifndef USE_WIDE_CHAR +- size_t thousands_len; +- int cnt; +-#endif +- + if (grouping == NULL) + return end; + +-#ifndef USE_WIDE_CHAR +- thousands_len = strlen (thousands); ++#ifdef USE_WIDE_CHAR ++ size_t thousands_len = 1; ++#else ++ size_t thousands_len = strlen (thousands); ++ int cnt; + #endif + +- while (end > begin) ++ while (end - begin >= thousands_len) + { +- const STRING_TYPE *cp = end - 1; ++ const STRING_TYPE *cp = end - thousands_len; + const char *gp = grouping; + + /* Check first group. */ +-- +2.33.0 + |