If a gconv module's init function has an address that is the same as the pointer guard value, then the gconv module's init function will not be called.
The problem is find_module tests the *mangled* pointer against NULL and if that test is false, then the initializer is called.
Obviously with the mangling function being a simple xor, if the function's address is the same as the pointer guard, the mangled value will be zero and the initializer doesn't get called.
Inspection shows similar problems gconv_db.c. There's also an instance in btowc.c, but in that case the test is just controlling an optimization and as far as I can tell doesn't result in incorrect operation.
If function is xor then we could set last bit of guard to 1. As function pointers are aligned a result cannot be zero.
Fedora has a fix for this already I think, which is just unconditionally demangle and *then* check for null.
There is almost not performance benefit to checking the mangled value for null, demangling if it is, and then calling the function.
Created attachment 7263 [details]
(In reply to Carlos O'Donell from comment #3)
> Created attachment 7263 [details]
> Consistently demangle
Does this really work? Are these pointers never initialized to NULL?