Skip to content
Permalink
Browse files Browse the repository at this point in the history
sort: fix buffer overflow with some case conversions
* src/sort.c (keycompare_mb): Ensure the buffer is big enough
to handle anything output from wctomb().  The current implementation
is character based, so we allocate the worst case size for the
conversion buffer, which is MB_CUR_MAX for each input byte.
* tests/i18n/sort.sh: Add a test case causing seg fault.
* tests/local.mk: Reference the new test case.
Reported at https://bugzilla.suse.com/show_bug.cgi?id=928749
  • Loading branch information
pixelb committed May 13, 2015
1 parent 38f4d23 commit bea5e36
Show file tree
Hide file tree
Showing 3 changed files with 34 additions and 2 deletions.
6 changes: 4 additions & 2 deletions src/sort.c
Expand Up @@ -3244,8 +3244,10 @@ keycompare_mb (const struct line *a, const struct line *b)

if (ignore || translate)
{
char *copy_a = (char *) xmalloc (lena + 1 + lenb + 1);
char *copy_b = copy_a + lena + 1;
if (SIZE_MAX - lenb - 2 < lena)
xalloc_die ();
char *copy_a = (char *) xnmalloc (lena + lenb + 2, MB_CUR_MAX);
char *copy_b = copy_a + lena * MB_CUR_MAX + 1;
size_t new_len_a, new_len_b;
size_t i, j;

Expand Down
29 changes: 29 additions & 0 deletions tests/i18n/sort.sh
@@ -0,0 +1,29 @@
#!/bin/sh
# Verify sort's multi-byte support.

. "${srcdir=.}/tests/init.sh"; path_prepend_ ./src
print_ver_ sort

export LC_ALL=en_US.UTF-8
locale -k LC_CTYPE | grep -q "charmap.*UTF-8" \
|| skip_ "No UTF-8 locale available"

# Enable heap consistency checkng on older systems
export MALLOC_CHECK_=2


# check buffer overflow issue due to
# expanding multi-byte representation due to case conversion
# https://bugzilla.suse.com/show_bug.cgi?id=928749
cat <<EOF > exp
.
ɑ
EOF
cat <<EOF | sort -f > out || fail=1
.
ɑ
EOF
compare exp out || { fail=1; cat out; }


Exit $fail
1 change: 1 addition & 0 deletions tests/local.mk
Expand Up @@ -517,6 +517,7 @@ all_tests = \
tests/du/threshold.sh \
tests/du/trailing-slash.sh \
tests/du/two-args.sh \
tests/i18n/sort.sh \
tests/id/gnu-zero-uids.sh \
tests/id/no-context.sh \
tests/id/context.sh \
Expand Down

0 comments on commit bea5e36

Please sign in to comment.