From: Szabolcs Nagy <szabolcs.nagy@arm.com>
Date: Tue, 11 Oct 2022 14:24:41 +0000 (+0100)
Subject: Fix OOB read in stdlib thousand grouping parsing [BZ #29727]
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=b6c621077438769cadebdfcc5f5298389e29081c;p=thirdparty%2Fglibc.git

Fix OOB read in stdlib thousand grouping parsing [BZ #29727]

__correctly_grouped_prefixmb only worked with thousands_len == 1,
otherwise it read past the end of cp or thousands.

This affects scanf formats like %'d, %'f and the internal but
exposed __strto{l,ul,f,d,..}_internal with grouping flag set
and an LC_NUMERIC locale where thousands_len > 1.

Avoid OOB access by considering thousands_len when initializing cp.
This fixes bug 29727.

Found by the morello port with strict bounds checking where

FAIL: stdlib/tst-strtod4
FAIL: stdlib/tst-strtod5i

crashed using a locale with thousands_len==3.
---

diff --git a/stdlib/grouping.c b/stdlib/grouping.c
index be7922f5fdc..46228974881 100644
--- a/stdlib/grouping.c
+++ b/stdlib/grouping.c
@@ -64,9 +64,17 @@ __correctly_grouped_prefixmb (const STRING_TYPE *begin, const STRING_TYPE *end,
   thousands_len = strlen (thousands);
 #endif
 
+#ifdef USE_WIDE_CHAR
   while (end > begin)
+#else
+  while (end - begin >= thousands_len)
+#endif
     {
+#ifdef USE_WIDE_CHAR
       const STRING_TYPE *cp = end - 1;
+#else
+      const STRING_TYPE *cp = end - thousands_len;
+#endif
       const char *gp = grouping;
 
       /* Check first group.  */