aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAndreas Schwab <schwab@suse.de>2018-07-24 18:02:28 +0200
committerAndreas Schwab <schwab@suse.de>2018-07-25 10:50:03 +0200
commit9c79cec8cd2a6996a73aa83d79b360ffd4bebde6 (patch)
treeddebd7034d3a0abdc8054bfeb627673adc15d383
parent969c3355069215f1c1cad800a822d0b303fdc1fa (diff)
downloadglibc-9c79cec8cd2a6996a73aa83d79b360ffd4bebde6.zip
glibc-9c79cec8cd2a6996a73aa83d79b360ffd4bebde6.tar.gz
glibc-9c79cec8cd2a6996a73aa83d79b360ffd4bebde6.tar.bz2
Fix out of bounds access in findidxwc (bug 23442)
If usrc is a prefix of cp but one character shorter an out of bounds access to usrc was done.
-rw-r--r--ChangeLog6
-rw-r--r--locale/weightwc.h6
2 files changed, 9 insertions, 3 deletions
diff --git a/ChangeLog b/ChangeLog
index 6c22a2f..1163250 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,9 @@
+2018-07-25 Andreas Schwab <schwab@suse.de>
+
+ [BZ #23442]
+ * locale/weightwc.h (findidx): Handle the case where usrc is a
+ prefix of cp but one character too short.
+
2018-07-24 Adhemerval Zanella <adhemerval.zanella@linaro.org>
* NEWS: Add ISO C threads addition.
diff --git a/locale/weightwc.h b/locale/weightwc.h
index 36c65b5..7ee335d 100644
--- a/locale/weightwc.h
+++ b/locale/weightwc.h
@@ -109,7 +109,7 @@ findidx (const int32_t *table,
break;
DIAG_POP_NEEDS_COMMENT;
- if (cnt < nhere - 1)
+ if (cnt < nhere - 1 || cnt == len)
{
cp += 2 * nhere;
continue;
@@ -121,14 +121,14 @@ findidx (const int32_t *table,
same reason as described above. */
DIAG_PUSH_NEEDS_COMMENT;
DIAG_IGNORE_Os_NEEDS_COMMENT (7, "-Wmaybe-uninitialized");
- if (cp[nhere - 1] > usrc[nhere -1])
+ if (cp[nhere - 1] > usrc[nhere - 1])
{
cp += 2 * nhere;
continue;
}
DIAG_POP_NEEDS_COMMENT;
- if (cp[2 * nhere - 1] < usrc[nhere -1])
+ if (cp[2 * nhere - 1] < usrc[nhere - 1])
{
cp += 2 * nhere;
continue;