misc/60539: segmentation fault in setlocale.c
Christoph Theis
theis at aon.at
Wed Dec 24 01:20:20 PST 2003
>Number: 60539
>Category: misc
>Synopsis: segmentation fault in setlocale.c
>Confidential: no
>Severity: critical
>Priority: high
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Wed Dec 24 01:20:15 PST 2003
>Closed-Date:
>Last-Modified:
>Originator: Christoph Theis
>Release: 4.6.2 RELEASE
>Organization:
>Environment:
>Description:
I think there is a bug in setlocale.c 1.48), around line 190
The code reads
locale = r;
while (*locale == '/')
++locale;
while (*++r && *r != '/')
;
} while (*locale);
1. If the locale string does not end with an '/', r points to the ending '\0'. This means, the "while (*++r && *r != '/')" may run beyond the string end, if the next character is not a '\0', to. The break condition "while (*locale);" comes to late.
I think, the correct condition would read "while (*r++ && *r != '/')".
2. What happens, if there were more slashes in the locale string? "while (*locale == '/')" would run to the end of those sequence of '/', "while (*++r && *r != '/')" would advance r just one char. Thus, locale is behind r giving negative length.
I think, correct would be, to call "r = locale" before advancing r.
Thus, the code shall read:
locale = r;
while (*locale == '/') ++locale;
r = locale;
while (*r && *r != '/') ++r;
} while (*locale);
You can't set empty categories then, that is, "//" in the string would not keep the corresponding categories unchanged. But that is the same behaviour as current.
>How-To-Repeat:
Difficult. My locale string was
de_AT.ISO8859-1/de_AT.ISO8859-1/de_AT.ISO8859-1/C/de_AT.ISO8859-1/de_AT.ISO8859-1
>Fix:
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-bugs
mailing list