diff options
| author | Szabolcs Nagy <szabolcs.nagy@arm.com> | 2022-10-11 15:24:41 +0100 |
|---|---|---|
| committer | Szabolcs Nagy <szabolcs.nagy@arm.com> | 2022-10-27 14:46:46 +0100 |
| commit | b6c621077438769cadebdfcc5f5298389e29081c (patch) | |
| tree | e87b3313a20c11b2207554e75805f2f8ab9de7d8 | |
| parent | 86cb990eeb22d64be6ab4c7ac3c70b507734dfd7 (diff) | |
| download | glibc-b6c621077438769cadebdfcc5f5298389e29081c.tar glibc-b6c621077438769cadebdfcc5f5298389e29081c.tar.gz glibc-b6c621077438769cadebdfcc5f5298389e29081c.tar.bz2 glibc-b6c621077438769cadebdfcc5f5298389e29081c.zip | |
Fix OOB read in stdlib thousand grouping parsing [BZ #29727]
__correctly_grouped_prefixmb only worked with thousands_len == 1,
otherwise it read past the end of cp or thousands.
This affects scanf formats like %'d, %'f and the internal but
exposed __strto{l,ul,f,d,..}_internal with grouping flag set
and an LC_NUMERIC locale where thousands_len > 1.
Avoid OOB access by considering thousands_len when initializing cp.
This fixes bug 29727.
Found by the morello port with strict bounds checking where
FAIL: stdlib/tst-strtod4
FAIL: stdlib/tst-strtod5i
crashed using a locale with thousands_len==3.
| -rw-r--r-- | stdlib/grouping.c | 8 |
1 files changed, 8 insertions, 0 deletions
diff --git a/stdlib/grouping.c b/stdlib/grouping.c index be7922f5fd..4622897488 100644 --- a/stdlib/grouping.c +++ b/stdlib/grouping.c @@ -64,9 +64,17 @@ __correctly_grouped_prefixmb (const STRING_TYPE *begin, const STRING_TYPE *end, thousands_len = strlen (thousands); #endif +#ifdef USE_WIDE_CHAR while (end > begin) +#else + while (end - begin >= thousands_len) +#endif { +#ifdef USE_WIDE_CHAR const STRING_TYPE *cp = end - 1; +#else + const STRING_TYPE *cp = end - thousands_len; +#endif const char *gp = grouping; /* Check first group. */ |