From: Andreas Schwab <schwab@suse.de>
Date: Tue, 24 Jul 2018 16:02:28 +0000 (+0200)
Subject: Fix out of bounds access in findidxwc (bug 23442)
X-Git-Tag: upstream/2.30~1049
X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=9c79cec8cd2a6996a73aa83d79b360ffd4bebde6;p=platform%2Fupstream%2Fglibc.git

Fix out of bounds access in findidxwc (bug 23442)

If usrc is a prefix of cp but one character shorter an out of bounds
access to usrc was done.
---

diff --git a/ChangeLog b/ChangeLog
index 6c22a2f..1163250 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,9 @@
+2018-07-25  Andreas Schwab  <schwab@suse.de>
+
+	[BZ #23442]
+	* locale/weightwc.h (findidx): Handle the case where usrc is a
+	prefix of cp but one character too short.
+
 2018-07-24  Adhemerval Zanella  <adhemerval.zanella@linaro.org>
 
 	* NEWS: Add ISO C threads addition.
diff --git a/locale/weightwc.h b/locale/weightwc.h
index 36c65b5..7ee335d 100644
--- a/locale/weightwc.h
+++ b/locale/weightwc.h
@@ -109,7 +109,7 @@ findidx (const int32_t *table,
 	      break;
 	  DIAG_POP_NEEDS_COMMENT;
 
-	  if (cnt < nhere - 1)
+	  if (cnt < nhere - 1 || cnt == len)
 	    {
 	      cp += 2 * nhere;
 	      continue;
@@ -121,14 +121,14 @@ findidx (const int32_t *table,
 	     same reason as described above.  */
 	  DIAG_PUSH_NEEDS_COMMENT;
 	  DIAG_IGNORE_Os_NEEDS_COMMENT (7, "-Wmaybe-uninitialized");
-	  if (cp[nhere - 1] > usrc[nhere -1])
+	  if (cp[nhere - 1] > usrc[nhere - 1])
 	    {
 	      cp += 2 * nhere;
 	      continue;
 	    }
 	  DIAG_POP_NEEDS_COMMENT;
 
-	  if (cp[2 * nhere - 1] < usrc[nhere -1])
+	  if (cp[2 * nhere - 1] < usrc[nhere - 1])
 	    {
 	      cp += 2 * nhere;
 	      continue;