Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 7 Aug 2019 20:13:43 +0000 (UTC)
From:      Dimitry Andric <dim@FreeBSD.org>
To:        src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org
Subject:   svn commit: r350697 - head/lib/libc/string
Message-ID:  <201908072013.x77KDhgM014931@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help 
Author: dim
Date: Wed Aug  7 20:13:43 2019
New Revision: 350697
URL: https://svnweb.freebsd.org/changeset/base/350697

Log:
  Fix a possible segfault in wcsxfrm(3) and wcsxfrm_l(3).
  
  If the length of the source wide character string, passed in via the
  "size_t n" parameter, is set to zero, the function should only return
  the required length for the destination wide character string.  In this
  case, it should *not* attempt to write to the destination, so the "dst"
  parameter is permitted to be NULL.
  
  However, when the internally called _collate_wxfrm() function returns an
  error, such as when using the "C" locale, as a fallback wcscpy(3) or
  wcsncpy(3) are used.  But if the input length is zero, wcsncpy(3) will
  be called with a length of -1!  If the "dst" parameter is NULL, this
  will immediately result in a segfault, or if "dst" is a valid pointer,
  it will most likely result in unexpectedly overwritten memory.
  
  Fix this by explicitly checking for an input length greater than zero,
  before calling wcsncpy(3).
  
  Note that a similar situation does not occur in strxfrm(3), the plain
  character version of this function, as it uses strlcpy(3) for the error
  case.  The strlcpy(3) function does not write to the destination if the
  input length is zero.
  
  MFC after:	1 week

Modified:
  head/lib/libc/string/wcsxfrm.c

Modified: head/lib/libc/string/wcsxfrm.c
==============================================================================
--- head/lib/libc/string/wcsxfrm.c	Wed Aug  7 19:45:44 2019	(r350696)
+++ head/lib/libc/string/wcsxfrm.c	Wed Aug  7 20:13:43 2019	(r350697)
@@ -73,7 +73,7 @@ error:
 	slen = wcslen(src);
 	if (slen < len)
 		(void) wcscpy(dest, src);
-	else {
+	else if (len > 0) {
 		(void) wcsncpy(dest, src, len - 1);
 		dest[len - 1] = L'\0';
 	}

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201908072013.x77KDhgM014931>