Fix out of bounds access in findidxwc (bug 23442)

If usrc is a prefix of cp but one character shorter an out of bounds
access to usrc was done.

diff --git a/ChangeLog b/ChangeLog
index 6c22a2f312095f83f7d3a3fd887fd3ec5fcd67c8..11632507c080917a090251ddda25a52141a45f19 100644 (file)
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,9 @@
+2018-07-25  Andreas Schwab  <schwab@suse.de>
+
+       [BZ #23442]
+       * locale/weightwc.h (findidx): Handle the case where usrc is a
+       prefix of cp but one character too short.
+
 2018-07-24  Adhemerval Zanella  <adhemerval.zanella@linaro.org>
 
        * NEWS: Add ISO C threads addition.

diff --git a/locale/weightwc.h b/locale/weightwc.h
index 36c65b5623a367dcb42b24f190f0c759fafb512f..7ee335dc9ab606b037cba5bf25a22a262b7eabba 100644 (file)
--- a/locale/weightwc.h
+++ b/locale/weightwc.h
@@ -109,7 +109,7 @@ findidx (const int32_t *table,
              break;
          DIAG_POP_NEEDS_COMMENT;
 
-         if (cnt < nhere - 1)
+         if (cnt < nhere - 1 || cnt == len)
            {
              cp += 2 * nhere;
              continue;
@@ -121,14 +121,14 @@ findidx (const int32_t *table,
             same reason as described above.  */
          DIAG_PUSH_NEEDS_COMMENT;
          DIAG_IGNORE_Os_NEEDS_COMMENT (7, "-Wmaybe-uninitialized");
-         if (cp[nhere - 1] > usrc[nhere -1])
+         if (cp[nhere - 1] > usrc[nhere - 1])
            {
              cp += 2 * nhere;
              continue;
            }
          DIAG_POP_NEEDS_COMMENT;
 
-         if (cp[2 * nhere - 1] < usrc[nhere -1])
+         if (cp[2 * nhere - 1] < usrc[nhere - 1])
            {
              cp += 2 * nhere;
              continue;