From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <sourceware-bugzilla@sourceware.org>
Received: by sourceware.org (Postfix, from userid 48)
	id 2E6D6385356C; Thu, 27 Oct 2022 11:42:42 +0000 (GMT)
DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 2E6D6385356C
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sourceware.org;
	s=default; t=1666870962;
	bh=Rjb+kOqEbGVD4xGYfVUsBk1lYrPw1i4C16tCMmeZul4=;
	h=From:To:Subject:Date:From;
	b=isiHO9yyhRcXTDBOAe+EgXqx+NSJNpeVrYJyY17svdRJan3HwzF43yjB2NK/U0Hou
	 pKv8BOQbHBmAv8cKVtRWzABE/9BL1ynfC9AzpG1gr6mmZwn+L6y01V5TfrQNWmT3C7
	 6gjvB7OXBTR+EcYgPGswAiJ6g3/ABHsaj756ft/U=
From: "nsz at gcc dot gnu.org" <sourceware-bugzilla@sourceware.org>
To: glibc-bugs@sourceware.org
Subject: [Bug locale/29727] New: __strtol_internal out-of-bounds read when
 parsing thousands grouping
Date: Thu, 27 Oct 2022 11:42:40 +0000
X-Bugzilla-Reason: CC
X-Bugzilla-Type: new
X-Bugzilla-Watch-Reason: None
X-Bugzilla-Product: glibc
X-Bugzilla-Component: locale
X-Bugzilla-Version: 2.35
X-Bugzilla-Keywords: 
X-Bugzilla-Severity: normal
X-Bugzilla-Who: nsz at gcc dot gnu.org
X-Bugzilla-Status: NEW
X-Bugzilla-Resolution: 
X-Bugzilla-Priority: P2
X-Bugzilla-Assigned-To: unassigned at sourceware dot org
X-Bugzilla-Target-Milestone: ---
X-Bugzilla-Flags: 
X-Bugzilla-Changed-Fields: bug_id short_desc product version bug_status
 bug_severity priority component assigned_to reporter target_milestone
Message-ID: <bug-29727-131@http.sourceware.org/bugzilla/>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Bugzilla-URL: http://sourceware.org/bugzilla/
Auto-Submitted: auto-generated
MIME-Version: 1.0
List-Id: <glibc-bugs.sourceware.org>

https://sourceware.org/bugzilla/show_bug.cgi?id=3D29727

            Bug ID: 29727
           Summary: __strtol_internal out-of-bounds read when parsing
                    thousands grouping
           Product: glibc
           Version: 2.35
            Status: NEW
          Severity: normal
          Priority: P2
         Component: locale
          Assignee: unassigned at sourceware dot org
          Reporter: nsz at gcc dot gnu.org
  Target Milestone: ---

__correctly_grouped_prefixmb reads past end if the locale specific thousands
separator is more than 1 byte.

crash can be triggered via __strto{l,ll,ul,ull}_internal and
__strto{f,d,ld}_internal.

plain strtol and strtof don't parse grouping, scanf %'d and %'f do, but sca=
nf
parses from an internal buffer in a way such that OOB read unlikely to caus=
e a
crash.

e.g. using LC_NUMERIC=3Dcs_CZ.UTF-8 the following code crashes

#include <locale.h>
#include <stdio.h>
#include <sys/mman.h>
long __strtol_internal(const char *, char **, int, int, locale_t);

int main()
{
if(setlocale(LC_ALL,"")=3D=3D0) return -1;
char *p =3D mmap(0, 4096*2, PROT_NONE, MAP_ANONYMOUS|MAP_PRIVATE, -1, 0);
mprotect(p, 4096, PROT_READ|PROT_WRITE);
char *s =3D p + 4096 - 2;
s[0] =3D '1';
s[1] =3D 0;
int x;
sscanf(s, "%'d", &x); // may copy s
printf("%d\n", x);
x =3D __strtol_internal(s, 0, 0, 1, LC_GLOBAL_LOCALE); // segfaults
printf("%d\n", x);
}

--=20
You are receiving this mail because:
You are on the CC list for the bug.=