From: Szabolcs Nagy <szabolcs.nagy@arm.com>
Date: Tue, 11 Oct 2022 14:24:41 +0000 (+0100)
Subject: Fix OOB read in stdlib thousand separator handling
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=85c6eba32a3c1f227ff89bbd23d6c97cdf76892b;p=thirdparty%2Fglibc.git

Fix OOB read in stdlib thousand separator handling

__correctly_grouped_prefixmb only worked with thousands_len == 1,
otherwise it read past the end of cp or thousands.

Avoid OOB access by considering thousands_len when initializing cp.

On morello with strict bounds checking this fixes

FAIL: stdlib/tst-strtod4
FAIL: stdlib/tst-strtod5i

both of which set cs_CZ.UTF-8 locale that has 3 byte thousands_len.
---

diff --git a/stdlib/grouping.c b/stdlib/grouping.c
index be7922f5fdc..46228974881 100644
--- a/stdlib/grouping.c
+++ b/stdlib/grouping.c
@@ -64,9 +64,17 @@ __correctly_grouped_prefixmb (const STRING_TYPE *begin, const STRING_TYPE *end,
   thousands_len = strlen (thousands);
 #endif
 
+#ifdef USE_WIDE_CHAR
   while (end > begin)
+#else
+  while (end - begin >= thousands_len)
+#endif
     {
+#ifdef USE_WIDE_CHAR
       const STRING_TYPE *cp = end - 1;
+#else
+      const STRING_TYPE *cp = end - thousands_len;
+#endif
       const char *gp = grouping;
 
       /* Check first group.  */