From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <sourceware-bugzilla@sourceware.org>
Received: by sourceware.org (Postfix, from userid 48)
	id 20D3F385841F; Wed,  2 Nov 2022 15:47:40 +0000 (GMT)
DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 20D3F385841F
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sourceware.org;
	s=default; t=1667404061;
	bh=tB1U/7FQ1htPWsZm6Zahzq+r6qJ6x3KNJ1XyIvCV8Dk=;
	h=From:To:Subject:Date:In-Reply-To:References:From;
	b=FjITHBc4wPcDJ7cksMQipmYrgPTirx0u/P7nJn3GZLVouPVzW0WSXuIIqm2EnHJSF
	 Gwee7e+RLUYDBKrZbWlBAyKxb4CZ2TH+pfZLOF416LM8r/FzTk3MWXDMWy+oYrSIGv
	 wWQ0NREx9I/ugVMzP7DAr31Q9zbGNs84Y1xOks+A=
From: "cvs-commit at gcc dot gnu.org" <sourceware-bugzilla@sourceware.org>
To: glibc-bugs@sourceware.org
Subject: [Bug locale/29727] __strtol_internal out-of-bounds read when parsing
 thousands grouping
Date: Wed, 02 Nov 2022 15:47:40 +0000
X-Bugzilla-Reason: CC
X-Bugzilla-Type: changed
X-Bugzilla-Watch-Reason: None
X-Bugzilla-Product: glibc
X-Bugzilla-Component: locale
X-Bugzilla-Version: 2.35
X-Bugzilla-Keywords: 
X-Bugzilla-Severity: normal
X-Bugzilla-Who: cvs-commit at gcc dot gnu.org
X-Bugzilla-Status: NEW
X-Bugzilla-Resolution: 
X-Bugzilla-Priority: P2
X-Bugzilla-Assigned-To: unassigned at sourceware dot org
X-Bugzilla-Target-Milestone: ---
X-Bugzilla-Flags: 
X-Bugzilla-Changed-Fields: 
Message-ID: <bug-29727-131-ij5XtdHPBi@http.sourceware.org/bugzilla/>
In-Reply-To: <bug-29727-131@http.sourceware.org/bugzilla/>
References: <bug-29727-131@http.sourceware.org/bugzilla/>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Bugzilla-URL: http://sourceware.org/bugzilla/
Auto-Submitted: auto-generated
MIME-Version: 1.0
List-Id: <glibc-bugs.sourceware.org>

https://sourceware.org/bugzilla/show_bug.cgi?id=3D29727

--- Comment #1 from cvs-commit at gcc dot gnu.org <cvs-commit at gcc dot gn=
u.org> ---
The master branch has been updated by Szabolcs Nagy <nsz@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=3Dglibc.git;h=3D17bfe5954baee1f1867=
2aea94caa1126ec36fb81

commit 17bfe5954baee1f18672aea94caa1126ec36fb81
Author: Szabolcs Nagy <szabolcs.nagy@arm.com>
Date:   Tue Oct 11 15:24:41 2022 +0100

    Fix OOB read in stdlib thousand grouping parsing [BZ #29727]

    __correctly_grouped_prefixmb only worked with thousands_len =3D=3D 1,
    otherwise it read past the end of cp or thousands.

    This affects scanf formats like %'d, %'f and the internal but
    exposed __strto{l,ul,f,d,..}_internal with grouping flag set
    and an LC_NUMERIC locale where thousands_len > 1.

    Avoid OOB access by considering thousands_len when initializing cp.
    This fixes bug 29727.

    Found by the morello port with strict bounds checking where

    FAIL: stdlib/tst-strtod4
    FAIL: stdlib/tst-strtod5i

    crashed using a locale with thousands_len=3D=3D3.

--=20
You are receiving this mail because:
You are on the CC list for the bug.=