Archie Cobbs <arc...@whistle.com> writes:
> Igor Gousarov writes:
> > The source file for setlocale function
> > (/usr/src/lib/libc/locale/setlocale.c)
> > contains the line which might put libc into infinite loop:
> > [...]
> Please file a PR to make sure that this doesn't "slip through
> the cracks"...
It seems to have slipped through the cracks. Good thing I had a
process mark on this message. What do you think of the attached patch
(against -CURRENT)?
I think there's still a possibility of new_categories being overrun,
since there's no bounds checking on i in the do ... while (*locale)
loop. I suggest that a careful audit by somebody who knows this code
(or at least knows what it's supposed to do).
DES
--
Dag-Erling Smorgrav - d...@flood.ping.uio.no
Index: src/lib/libc/locale/setlocale.c
===================================================================
RCS file: /home/ncvs/src/lib/libc/locale/setlocale.c,v
retrieving revision 1.23
diff -u -r1.23 setlocale.c
--- setlocale.c 1998/04/29 22:39:56 1.23
+++ setlocale.c 1999/08/11 15:21:05
@@ -156,9 +156,11 @@
new_categories[i][ENCODING_LEN] = '\0';
}
} else {
- for (i = 1; r[1] == '/'; ++r);
+ while (r[1] == '/')
+ ++r;
if (!r[1])
return (NULL); /* Hmm, just slashes... */
+ i = 1;
do {
len = r - locale > ENCODING_LEN ? ENCODING_LEN
: r - locale;
(void)strncpy(new_categories[i], locale, len);
@@ -169,13 +171,13 @@
++locale;
while (*++r && *r != '/');
} while (*locale);
- while (i < _LC_LAST)
+ for (; i < _LC_LAST; ++i)
(void)strcpy(new_categories[i],
new_categories[i-1]);
}
}
- if (category)
+ if (category != LC_ALL)
return (loadlocale(category));
for (i = 1; i < _LC_LAST; ++i) {
To Unsubscribe: send mail to majord...@freebsd.org
with "unsubscribe freebsd-hackers" in the body of the message
