Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 24 Dec 2003 01:16:40 -0800 (PST)
From:      Christoph Theis <theis@aon.at>
To:        freebsd-gnats-submit@FreeBSD.org
Subject:   misc/60539: segmentation fault in setlocale.c
Message-ID:  <200312240916.hBO9GeDO055760@www.freebsd.org>
Resent-Message-ID: <200312240920.hBO9KFJZ086456@freefall.freebsd.org>
index | next in thread | raw e-mail 


>Number:         60539
>Category:       misc
>Synopsis:       segmentation fault in setlocale.c
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Wed Dec 24 01:20:15 PST 2003
>Closed-Date:
>Last-Modified:
>Originator:     Christoph Theis
>Release:        4.6.2 RELEASE
>Organization:
>Environment:
>Description:
I think there is a bug in setlocale.c 1.48), around line 190      

The code reads

  locale = r;
  while (*locale == '/')
    ++locale;
  while (*++r && *r != '/')
    ;
} while (*locale);

1. If the locale string does not end with an '/', r points to the ending '\0'. This means, the "while (*++r && *r != '/')" may run beyond the string end, if the next character is not a '\0', to. The break condition "while (*locale);" comes to late. 
I think, the correct condition would read "while (*r++ && *r != '/')".

2. What happens, if there were more slashes in the locale string? "while (*locale == '/')" would run to the end of those sequence of '/', "while (*++r && *r != '/')" would advance r just one char. Thus, locale is behind r giving negative length. 
I think, correct would be, to call "r = locale" before advancing r.

Thus, the code shall read:

  locale = r;
  while (*locale == '/') ++locale;
  r = locale;
  while (*r && *r != '/') ++r;
} while (*locale);


You can't set empty categories then, that is, "//" in the string would not keep the corresponding categories unchanged. But that is the same behaviour as current.

      
>How-To-Repeat:
Difficult. My locale string was 
de_AT.ISO8859-1/de_AT.ISO8859-1/de_AT.ISO8859-1/C/de_AT.ISO8859-1/de_AT.ISO8859-1
       
>Fix:
      
>Release-Note:
>Audit-Trail:
>Unformatted:
help

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200312240916.hBO9GeDO055760>