Bug#310635: some programs segfault when run with belocs-locales-* installed

[Denis Barbier <barbier@linuxfr.org>]

On Sat, Oct 01, 2005 at 01:29:10PM +0200, Denis Barbier wrote:
> I was eventually able to test this patch.  Eugeniy's test case still
> segfaults, I will work on a better patch, strcoll_l.c needs to be
> fixed too.

Here is a revised patch.  It seems to work fine, but it has not been
fully tested yet.  I send it in case someone is working on this bug
report, and will add the patch tag after more testing.

Denis

#! /bin/sh -e

# DP: Description: Fix segfault when strings contain a mix of forward
#     and backward rules.
# DP: Dpatch Author: Denis Barbier <barbier@linuxfr.org>
# DP: Patch Author: Denis Barbier
# DP: Upstream status: Unknown
# DP: Date: 2005-10-01

if [ $# -ne 2 ]; then
    echo >&2 "`basename $0`: script expects -patch|-unpatch as argument"
    exit 1
fi
case "$1" in
    -patch) patch -d "$2" -f --no-backup-if-mismatch -p1 < $0;;
    -unpatch) patch -d "$2" -f --no-backup-if-mismatch -R -p1 < $0;;
    *)
	echo >&2 "`basename $0`: script expects -patch|-unpatch as argument"
	exit 1
esac
exit 0

--- glibc-2.3.3-net/string/strxfrm_l.c	14 Mar 2004 20:52:47 -0000	1.4
+++ glibc-2.3.3-net/string/strxfrm_l.c	23 May 2005 22:35:59 -0000
@@ -210,18 +210,19 @@
 		      /* Handle the pushed elements now.  */
 		      size_t backw;
 
-		      for (backw = idxcnt - 1; backw >= backw_stop; --backw)
+		      /* Take care of integer overflow if backw_stop is 0.  */
+		      for (backw = idxcnt; backw > backw_stop; --backw)
 			{
-			  len = weights[idxarr[backw]++];
+			  len = weights[idxarr[backw - 1]++];
 
 			  if (needed + len < n)
 			    while (len-- > 0)
-			      dest[needed++] = weights[idxarr[backw]++];
+			      dest[needed++] = weights[idxarr[backw - 1]++];
 			  else
 			    {
 				/* No more characters fit into the buffer.  */
 			      needed += len;
-			      idxarr[backw] += len;
+			      idxarr[backw - 1] += len;
 			    }
 			}
 
@@ -293,9 +294,10 @@
 		     /* Handle the pushed elements now.  */
 		      size_t backw;
 
-		      for (backw = idxcnt - 1; backw >= backw_stop; --backw)
+		      /* Take care of integer overflow if backw_stop is 0.  */
+		      for (backw = idxcnt; backw > backw_stop; --backw)
 			{
-			  len = weights[idxarr[backw]++];
+			  len = weights[idxarr[backw - 1]++];
 			  if (len != 0)
 			    {
 #ifdef WIDE_CHAR_VERSION
@@ -304,7 +306,7 @@
 				  dest[needed] = val;
 				  for (i = 0; i < len; ++i)
 				    dest[needed + 1 + i] =
-				      weights[idxarr[backw] + i];
+				      weights[idxarr[backw - 1] + i];
 				}
 			      needed += 1 + len;
 #else
@@ -315,11 +317,11 @@
 				    dest[needed + i] = buf[i];
 				  for (i = 0; i < len; ++i)
 				    dest[needed + buflen + i] =
-				      weights[idxarr[backw] + i];
+				      weights[idxarr[backw - 1] + i];
 				}
 			      needed += buflen + len;
 #endif
-			      idxarr[backw] += len;
+			      idxarr[backw - 1] += len;
 			      val = 1;
 			    }
 			  else
--- glibc-2.3.3-net/string/strcoll_l.c	14 Mar 2004 20:52:47 -0000	1.4
+++ glibc-2.3.3-net/string/strcoll_l.c	23 May 2005 22:35:59 -0000
@@ -370,7 +370,10 @@
 			/* The last pushed character was handled.  Continue
 			   with forward characters.  */
 			if (idx1cnt < idx1max)
-			  idx1now = idx1cnt;
+			  {
+			    idx1now = idx1cnt;
+			    backw1_stop = ~0ul;
+			  }
 			else
 			  {
 			    /* Nothing anymore.  The backward sequence