From aa8d1268470ffd149ee631369ab7dc12e128465c Mon Sep 17 00:00:00 2001 From: Dimitry Andric Date: Wed, 7 Aug 2019 20:13:43 +0000 Subject: [PATCH] Fix a possible segfault in wcsxfrm(3) and wcsxfrm_l(3). If the length of the source wide character string, passed in via the "size_t n" parameter, is set to zero, the function should only return the required length for the destination wide character string. In this case, it should *not* attempt to write to the destination, so the "dst" parameter is permitted to be NULL. However, when the internally called _collate_wxfrm() function returns an error, such as when using the "C" locale, as a fallback wcscpy(3) or wcsncpy(3) are used. But if the input length is zero, wcsncpy(3) will be called with a length of -1! If the "dst" parameter is NULL, this will immediately result in a segfault, or if "dst" is a valid pointer, it will most likely result in unexpectedly overwritten memory. Fix this by explicitly checking for an input length greater than zero, before calling wcsncpy(3). Note that a similar situation does not occur in strxfrm(3), the plain character version of this function, as it uses strlcpy(3) for the error case. The strlcpy(3) function does not write to the destination if the input length is zero. MFC after: 1 week --- lib/libc/string/wcsxfrm.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/libc/string/wcsxfrm.c b/lib/libc/string/wcsxfrm.c index 326e1117909c..c9603d1881fe 100644 --- a/lib/libc/string/wcsxfrm.c +++ b/lib/libc/string/wcsxfrm.c @@ -73,7 +73,7 @@ wcsxfrm_l(wchar_t * __restrict dest, const wchar_t * __restrict src, size_t len, slen = wcslen(src); if (slen < len) (void) wcscpy(dest, src); - else { + else if (len > 0) { (void) wcsncpy(dest, src, len - 1); dest[len - 1] = L'\0'; }