From 85c6eba32a3c1f227ff89bbd23d6c97cdf76892b Mon Sep 17 00:00:00 2001
From: Szabolcs Nagy <szabolcs.nagy@arm.com>
Date: Tue, 11 Oct 2022 15:24:41 +0100
Subject: [PATCH] Fix OOB read in stdlib thousand separator handling

__correctly_grouped_prefixmb only worked with thousands_len == 1,
otherwise it read past the end of cp or thousands.

Avoid OOB access by considering thousands_len when initializing cp.

On morello with strict bounds checking this fixes

FAIL: stdlib/tst-strtod4
FAIL: stdlib/tst-strtod5i

both of which set cs_CZ.UTF-8 locale that has 3 byte thousands_len.
---
 stdlib/grouping.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/stdlib/grouping.c b/stdlib/grouping.c
index be7922f5fdc..46228974881 100644
--- a/stdlib/grouping.c
+++ b/stdlib/grouping.c
@@ -64,9 +64,17 @@ __correctly_grouped_prefixmb (const STRING_TYPE *begin, const STRING_TYPE *end,
   thousands_len = strlen (thousands);
 #endif
 
+#ifdef USE_WIDE_CHAR
   while (end > begin)
+#else
+  while (end - begin >= thousands_len)
+#endif
     {
+#ifdef USE_WIDE_CHAR
       const STRING_TYPE *cp = end - 1;
+#else
+      const STRING_TYPE *cp = end - thousands_len;
+#endif
       const char *gp = grouping;
 
       /* Check first group.  */
-- 
2.47.2