From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mout.kundenserver.de (mout.kundenserver.de [212.227.126.130]) by sourceware.org (Postfix) with ESMTPS id ECB5C3856DE0 for ; Thu, 11 Aug 2022 18:00:08 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.1 sourceware.org ECB5C3856DE0 Authentication-Results: sourceware.org; dmarc=none (p=none dis=none) header.from=vinschen.de Authentication-Results: sourceware.org; spf=none smtp.mailfrom=vinschen.de Received: from calimero.vinschen.de ([24.134.7.25]) by mrelayeu.kundenserver.de (mreue009 [212.227.15.167]) with ESMTPSA (Nemesis) id 1MpDRv-1nbNOa2boV-00qgps for ; Thu, 11 Aug 2022 20:00:07 +0200 Received: by calimero.vinschen.de (Postfix, from userid 500) id 234D1A80B75; Thu, 11 Aug 2022 20:00:07 +0200 (CEST) From: Corinna Vinschen To: newlib@sourceware.org Subject: [PATCH] newlocale: fix crash when trying to write to __C_locale Date: Thu, 11 Aug 2022 20:00:07 +0200 Message-Id: <20220811180007.296636-1-corinna@vinschen.de> X-Mailer: git-send-email 2.37.1 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Provags-ID: V03:K1:ZRiVIysZWkMivRr4TAAt45n9iMNTMVUtZJkA/Zka0JHSvTsxnPO e575p07xJiU5M6YAJLHmGe1gO/5GwC6wdbzAc8LhlfFfcxVdiVK0JvQPZbVhno14XiPqrOv kmBo1VAxAmNJzaxlyaeKbm1apLjEhYWQ0kjdpFfU9imJ00lkGXwzCQdMLg03aUOiwnwYteh 8UAQydovPXpxnpo25Ssjg== X-UI-Out-Filterresults: notjunk:1;V03:K0:72M00i00Cr8=:nXkE6tb6P2PfVM1N/0Rr61 P6eIbS9GeYYZFEzC9ajgqwLxq6ubuARAXESZSvucGukTuIiLVjRN4nDeEtK6mTdczJYj4u3FM EoYJiCoWAydEAEwCd5Q3cYLaJ2ZhbTHJ8Q0S63Ua1w+nlRtbaOSADuC0pb4pJDtVzts7Sc1sR VFoje0Dpv3P5QipxafA3K1QzXdYy1IUT8lRH9XbBaVHgXeOBZ5Clcz/xFhgRXJoIDdKqWQa4m EbJoUBoQD8f/eLrgG47JQsO4oaXpASTpwZSpXCBc+Azish+j599HFRt1Ny84WpYToMEGAJiX9 s4eE5jSuxHFHKCtNUmUR4FGsnYOfahuqfZULu0bvZmE0Pjs4m399aH2baLkEBROnLOs9Ciw6j vpPQ+6nKMpnNn+klC07Ngrmt3tv5f38Cg395InwmieX0ogDjCuMYYDOchmmr2B4tqYxrGeDZ4 3bPUy4sTku39i5eZPRRrH2yg7hJ3NwKHxCMqKo8W9wmIFZ655XSd7KczfbzhuROdv09wsDTwt msFTy1VOLnhOHJ5mUqdhexi/PdXU5rtVAqrXT4DQfMv2Igtgz31FNnHeuRhVCQauJj0BWv6eS 6zRN/qTRbH6HfNHUkkwIFZns7TqQcykYMBxAXq0QibFxS7GMrpRiloUn6g55DZtUSXDwfV0Oz yV51qoauXZxMBNE7ULwVKEuqUQlLq/Vs/iRD2sFKfwyYFBm9KzCRh1dm4PRO4IoGZ4UpQdcKV 5R6UCMNWf7so0j5FvlV5VzojjKCwWiyp5j1apg== X-Spam-Status: No, score=-17.8 required=5.0 tests=BAYES_00, GIT_PATCH_0, KAM_DMARC_STATUS, KAM_LAZY_DOMAIN_SECURITY, RCVD_IN_DNSWL_NONE, RCVD_IN_MSPIKE_H2, SPF_HELO_NONE, SPF_NONE, TXREP, T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org X-BeenThere: newlib@sourceware.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Newlib mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 11 Aug 2022 18:00:10 -0000 This simple testcase: locale_t st = newlocale(LC_ALL_MASK, "C", (locale_t)0); locale_t st2 = newlocale(LC_CTYPE_MASK, "en_US.UTF-8", st); is sufficient to reproduce a crash in _newlocale_r. After the first call to newlocale, `st' points to __C_locale, which is const. When using `st' as locale base in the second call, _newlocale_r tries to set pointers inside base to NULL. This is bad if base is __C_locale, obviously. Add a test to avoid trying to overwrite pointer values inside base if base is __C_locale. Signed-off-by: Corinna Vinschen --- newlib/libc/locale/newlocale.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/newlib/libc/locale/newlocale.c b/newlib/libc/locale/newlocale.c index 0789d5fd95ec..08f29dbcc0c1 100644 --- a/newlib/libc/locale/newlocale.c +++ b/newlib/libc/locale/newlocale.c @@ -188,7 +188,8 @@ _newlocale_r (struct _reent *p, int category_mask, const char *locale, if (tmp_locale.lc_cat[i].buf == (const void *) -1) { tmp_locale.lc_cat[i].buf = base->lc_cat[i].buf; - base->lc_cat[i].ptr = base->lc_cat[i].buf = NULL; + if (base != __get_C_locale ()) + base->lc_cat[i].ptr = base->lc_cat[i].buf = NULL; } #endif /* __HAVE_LOCALE_INFO__ */ _freelocale_r (p, base); -- 2.37.1