lib/glibc
1
0
Fork 0
mirror of https://sourceware.org/git/glibc.git synced 2025-12-24 17:51:17 +03:00
Code Activity

Fix OOB read in stdlib thousand grouping parsing [BZ #29727]

Browse Source 
__correctly_grouped_prefixmb only worked with thousands_len == 1,
otherwise it read past the end of cp or thousands.

This affects scanf formats like %'d, %'f and the internal but
exposed __strto{l,ul,f,d,..}_internal with grouping flag set
and an LC_NUMERIC locale where thousands_len > 1.

Avoid OOB access by considering thousands_len when initializing cp.
This fixes bug 29727.

Found by the morello port with strict bounds checking where

FAIL: stdlib/tst-strtod4
FAIL: stdlib/tst-strtod5i

crashed using a locale with thousands_len==3.
This commit is contained in:
Szabolcs Nagy
2022-10-11 15:24:41 +01:00
parent 7457b7eef8
commit 17bfe5954b
1 changed files with 7 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
stdlib/grouping.c
View File

@@ -52,21 +52,19 @@ __correctly_grouped_prefixmb (const STRING_TYPE *begin, const STRING_TYPE *end,
#endif
const char *grouping)
{
#ifndef USE_WIDE_CHAR
size_t thousands_len;
int cnt;
#endif
if (grouping == NULL)
return end;
#ifndef USE_WIDE_CHAR
thousands_len = strlen (thousands);
#ifdef USE_WIDE_CHAR
size_t thousands_len = 1;
#else
size_t thousands_len = strlen (thousands);
int cnt;
#endif
while (end > begin)
while (end - begin >= thousands_len)
{
const STRING_TYPE *cp = end - 1;
const STRING_TYPE *cp = end - thousands_len;
const char *gp = grouping;
/* Check first group. */