Date: Wed, 24 Dec 2003 12:46:30 +0200 From: Ruslan Ermilov <ru@FreeBSD.org> To: "Andrey A. Chernov" <ache@FreeBSD.org> Cc: cvs-all@FreeBSD.org Subject: Re: cvs commit: src/lib/libc/locale setlocale.c Message-ID: <20031224104630.GA15131@FreeBSD.org.ua> In-Reply-To: <200312241016.hBOAGkGo000116@repoman.freebsd.org> References: <200312241016.hBOAGkGo000116@repoman.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
[-- Attachment #1 --] On Wed, Dec 24, 2003 at 02:16:46AM -0800, Andrey A. Chernov wrote: > ache 2003/12/24 02:16:46 PST > > FreeBSD src repository > > Modified files: > lib/libc/locale setlocale.c > Log: > Properly advance "x/y/z" form slash-pointers in some rare cases > > PR: 60539 > > Revision Changes Path > 1.49 +4 -4 src/lib/libc/locale/setlocale.c > I like your fix much better, but I disagree with your "rare". Just a simple argument of "C/C" exhibits this bug (#1 in the PR), which is not rare. If the locale argument to setlocle() is malloc()'ed, chances are better this ends up with SIGSEGV: locale = malloc(4); strcpy(locale, "C/C"); setlocale(LC_ALL, locale); Sure the "C/C//C" case where length becomes negative is rare. The bug is more dangerous in the "C/C///C" case (more than two slashes), because length becomes -2, and the size argument to strlcpy() becomes (size_t)(-1), quite large unsigned integer. Hopefully, the target (new_categories[]) is not on stack. Cheers, -- Ruslan Ermilov FreeBSD committer ru@FreeBSD.org [-- Attachment #2 --] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (FreeBSD) iD8DBQE/6W6GUkv4P6juNwoRAoe/AJsGe0av8zhENWRhhbVk2EkZ5RMCQACcC993 PymJCTN4SXK5M4E9wWOz0Dk= =JSg3 -----END PGP SIGNATURE-----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20031224104630.GA15131>