63 lines
1.6 KiB
Diff
63 lines
1.6 KiB
Diff
From 17bfe5954baee1f18672aea94caa1126ec36fb81 Mon Sep 17 00:00:00 2001
|
|
From: Szabolcs Nagy <szabolcs.nagy@arm.com>
|
|
Date: Tue, 11 Oct 2022 15:24:41 +0100
|
|
Subject: [PATCH] Fix OOB read in stdlib thousand grouping parsing [BZ
|
|
#29727]
|
|
|
|
__correctly_grouped_prefixmb only worked with thousands_len == 1,
|
|
otherwise it read past the end of cp or thousands.
|
|
|
|
This affects scanf formats like %'d, %'f and the internal but
|
|
exposed __strto{l,ul,f,d,..}_internal with grouping flag set
|
|
and an LC_NUMERIC locale where thousands_len > 1.
|
|
|
|
Avoid OOB access by considering thousands_len when initializing cp.
|
|
This fixes bug 29727.
|
|
|
|
Found by the morello port with strict bounds checking where
|
|
|
|
FAIL: stdlib/tst-strtod4
|
|
FAIL: stdlib/tst-strtod5i
|
|
|
|
crashed using a locale with thousands_len==3.
|
|
---
|
|
stdlib/grouping.c | 16 +++++++---------
|
|
1 file changed, 7 insertions(+), 9 deletions(-)
|
|
|
|
diff --git a/stdlib/grouping.c b/stdlib/grouping.c
|
|
index d558d930..e2f31b2a 100644
|
|
--- a/stdlib/grouping.c
|
|
+++ b/stdlib/grouping.c
|
|
@@ -53,21 +53,19 @@ __correctly_grouped_prefixmb (const STRING_TYPE *begin, const STRING_TYPE *end,
|
|
#endif
|
|
const char *grouping)
|
|
{
|
|
-#ifndef USE_WIDE_CHAR
|
|
- size_t thousands_len;
|
|
- int cnt;
|
|
-#endif
|
|
-
|
|
if (grouping == NULL)
|
|
return end;
|
|
|
|
-#ifndef USE_WIDE_CHAR
|
|
- thousands_len = strlen (thousands);
|
|
+#ifdef USE_WIDE_CHAR
|
|
+ size_t thousands_len = 1;
|
|
+#else
|
|
+ size_t thousands_len = strlen (thousands);
|
|
+ int cnt;
|
|
#endif
|
|
|
|
- while (end > begin)
|
|
+ while (end - begin >= thousands_len)
|
|
{
|
|
- const STRING_TYPE *cp = end - 1;
|
|
+ const STRING_TYPE *cp = end - thousands_len;
|
|
const char *gp = grouping;
|
|
|
|
/* Check first group. */
|
|
--
|
|
2.33.0
|
|
|