Date: Wed, 24 Dec 2003 12:46:30 +0200 From: Ruslan Ermilov <ru@FreeBSD.org> To: "Andrey A. Chernov" <ache@FreeBSD.org> Cc: cvs-all@FreeBSD.org Subject: Re: cvs commit: src/lib/libc/locale setlocale.c Message-ID: <20031224104630.GA15131@FreeBSD.org.ua> In-Reply-To: <200312241016.hBOAGkGo000116@repoman.freebsd.org> References: <200312241016.hBOAGkGo000116@repoman.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
--envbJBWh7q8WU6mo Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Dec 24, 2003 at 02:16:46AM -0800, Andrey A. Chernov wrote: > ache 2003/12/24 02:16:46 PST >=20 > FreeBSD src repository >=20 > Modified files: > lib/libc/locale setlocale.c=20 > Log: > Properly advance "x/y/z" form slash-pointers in some rare cases > =20 > PR: 60539 > =20 > Revision Changes Path > 1.49 +4 -4 src/lib/libc/locale/setlocale.c >=20 I like your fix much better, but I disagree with your "rare". Just a simple argument of "C/C" exhibits this bug (#1 in the PR), which is not rare. If the locale argument to setlocle() is malloc()'ed, chances are better this ends up with SIGSEGV: locale =3D malloc(4); strcpy(locale, "C/C"); setlocale(LC_ALL, locale); Sure the "C/C//C" case where length becomes negative is rare. The bug is more dangerous in the "C/C///C" case (more than two slashes), because length becomes -2, and the size argument to strlcpy() becomes (size_t)(-1), quite large unsigned integer. Hopefully, the target (new_categories[]) is not on stack. Cheers, --=20 Ruslan Ermilov FreeBSD committer ru@FreeBSD.org --envbJBWh7q8WU6mo Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (FreeBSD) iD8DBQE/6W6GUkv4P6juNwoRAoe/AJsGe0av8zhENWRhhbVk2EkZ5RMCQACcC993 PymJCTN4SXK5M4E9wWOz0Dk= =JSg3 -----END PGP SIGNATURE----- --envbJBWh7q8WU6mo--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20031224104630.GA15131>