From owner-svn-src-stable-11@freebsd.org  Wed Aug 14 19:21:27 2019
Return-Path: <owner-svn-src-stable-11@freebsd.org>
Delivered-To: svn-src-stable-11@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id E3FFDB7CF2;
 Wed, 14 Aug 2019 19:21:27 +0000 (UTC) (envelope-from dim@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org
 [IPv6:2610:1c1:1:606c::19:3])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 server-signature RSA-PSS (4096 bits)
 client-signature RSA-PSS (4096 bits) client-digest SHA256)
 (Client CN "mxrelay.nyi.freebsd.org",
 Issuer "Let's Encrypt Authority X3" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 467zw75lrZz3L6V;
 Wed, 14 Aug 2019 19:21:27 +0000 (UTC) (envelope-from dim@FreeBSD.org)
Received: from repo.freebsd.org (repo.freebsd.org
 [IPv6:2610:1c1:1:6068::e6a:0])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id A6AAE4CAB;
 Wed, 14 Aug 2019 19:21:27 +0000 (UTC) (envelope-from dim@FreeBSD.org)
Received: from repo.freebsd.org ([127.0.1.37])
 by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id x7EJLRrA033486;
 Wed, 14 Aug 2019 19:21:27 GMT (envelope-from dim@FreeBSD.org)
Received: (from dim@localhost)
 by repo.freebsd.org (8.15.2/8.15.2/Submit) id x7EJLRxF033485;
 Wed, 14 Aug 2019 19:21:27 GMT (envelope-from dim@FreeBSD.org)
Message-Id: <201908141921.x7EJLRxF033485@repo.freebsd.org>
X-Authentication-Warning: repo.freebsd.org: dim set sender to dim@FreeBSD.org
 using -f
From: Dimitry Andric <dim@FreeBSD.org>
Date: Wed, 14 Aug 2019 19:21:27 +0000 (UTC)
To: src-committers@freebsd.org, svn-src-all@freebsd.org,
 svn-src-stable@freebsd.org, svn-src-stable-11@freebsd.org
Subject: svn commit: r351041 - in stable: 11/lib/libc/string 12/lib/libc/string
X-SVN-Group: stable-11
X-SVN-Commit-Author: dim
X-SVN-Commit-Paths: in stable: 11/lib/libc/string 12/lib/libc/string
X-SVN-Commit-Revision: 351041
X-SVN-Commit-Repository: base
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-BeenThere: svn-src-stable-11@freebsd.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: SVN commit messages for only the 11-stable src tree
 <svn-src-stable-11.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/svn-src-stable-11>, 
 <mailto:svn-src-stable-11-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-stable-11/>
List-Post: <mailto:svn-src-stable-11@freebsd.org>
List-Help: <mailto:svn-src-stable-11-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/svn-src-stable-11>, 
 <mailto:svn-src-stable-11-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 14 Aug 2019 19:21:28 -0000

Author: dim
Date: Wed Aug 14 19:21:26 2019
New Revision: 351041
URL: https://svnweb.freebsd.org/changeset/base/351041

Log:
  MFC r350697:
  
  Fix a possible segfault in wcsxfrm(3) and wcsxfrm_l(3).
  
  If the length of the source wide character string, passed in via the
  "size_t n" parameter, is set to zero, the function should only return
  the required length for the destination wide character string.  In this
  case, it should *not* attempt to write to the destination, so the "dst"
  parameter is permitted to be NULL.
  
  However, when the internally called _collate_wxfrm() function returns an
  error, such as when using the "C" locale, as a fallback wcscpy(3) or
  wcsncpy(3) are used.  But if the input length is zero, wcsncpy(3) will
  be called with a length of -1!  If the "dst" parameter is NULL, this
  will immediately result in a segfault, or if "dst" is a valid pointer,
  it will most likely result in unexpectedly overwritten memory.
  
  Fix this by explicitly checking for an input length greater than zero,
  before calling wcsncpy(3).
  
  Note that a similar situation does not occur in strxfrm(3), the plain
  character version of this function, as it uses strlcpy(3) for the error
  case.  The strlcpy(3) function does not write to the destination if the
  input length is zero.

Modified:
  stable/11/lib/libc/string/wcsxfrm.c
Directory Properties:
  stable/11/   (props changed)

Changes in other areas also in this revision:
Modified:
  stable/12/lib/libc/string/wcsxfrm.c
Directory Properties:
  stable/12/   (props changed)

Modified: stable/11/lib/libc/string/wcsxfrm.c
==============================================================================
--- stable/11/lib/libc/string/wcsxfrm.c	Wed Aug 14 18:41:28 2019	(r351040)
+++ stable/11/lib/libc/string/wcsxfrm.c	Wed Aug 14 19:21:26 2019	(r351041)
@@ -71,7 +71,7 @@ error:
 	slen = wcslen(src);
 	if (slen < len)
 		(void) wcscpy(dest, src);
-	else {
+	else if (len > 0) {
 		(void) wcsncpy(dest, src, len - 1);
 		dest[len - 1] = L'\0';
 	}