Bug 356 - localedata: tests-mbwc/tst_iswalnum segfaults during make check
Summary: localedata: tests-mbwc/tst_iswalnum segfaults during make check
Alias: None
Product: glibc
Classification: Unclassified
Component: libc (show other bugs)
Version: 2.3.3
: P2 critical
Target Milestone: ---
Assignee: Not yet assigned to anyone
Depends on:
Reported: 2004-08-30 15:39 UTC by John Lumby
Modified: 2019-04-10 12:37 UTC (History)
2 users (show)

See Also:
Last reconfirmed:
fweimer: security-


Note You need to log in before you can comment on or make changes to this bug.
Description John Lumby 2004-08-30 15:39:18 UTC
I am running on linux kernel 2.6.7 on an i686 (pentium III).
gcc version 3.4.1
binutils assembler 2.15
downloaded glibc 2.3.3, applied two fixes as documented in
     msg00179.html    (conflicting types for 'fixup' and profile_fixup')
     msg00013.html    (initfini.c)
after which build ok but make check - segfault in tst_iswalnum.

The segfault occurs in wcfuncs.c func __iswalnum here
        return wctype_table_lookup (desc, wc);		
desc is supposed to be a ptr to a const string but contains 0x10.

On some more investigating, I think I see (maybe) why:
in loadlocale.c func _nl_intern_locale_data() line 118
      if (__builtin_expect (_nl_value_types[category][cnt] == word, 0))
In the failing case, category is 0 (LC_CTYPE) and cnt (index) is 82
However the size of the _nl_value_types[LC_CTYPE] array is only 65.
So the above line is accessing outrside the bounds of the array and may be 
therefore incorrectly assigning the value of the word instead of the pointer to
the string.
The size of the _nl_value_types[LC_CTYPE] array is determined by 
whereas the size of the max number of values of LC_CTYPE is determined in
_NL_NUM_LC_CTYPE, which has a bigger and different list than categories.def

I see the comment /* The actual definition of ctype is meaningless here.*/
in categories.def and I see some tricky run-time resolution of these externs in 
localeinfo.h :
   it is desireable to avoid always linking in the code
   and data for every category when we can tell at link time that they are
   unused.  We can manage this playing some tricks with weak references.
so maybe I am completely misunderstanding these type and value arrays
(and gdb can't understand any of it either)
but it does crash so please can you help.

P.S.  I did not try building from cvs since I don't have room for hoth 2.3.3 and
cvs and want to use 2.3.3, and I see these files look pretty much the same in
cvsweb,  but if there's a fix in it please advise.
Comment 1 John Lumby 2004-08-30 18:11:48 UTC
Oh - by the way - I did trace through _nl_intern_locale_data while the test was
executing and it loaded the LC_CTYPE category several times, with varying numbers
of items, but in every case, item 82 (which I think is named _NL_CTYPE_EXTRA_MAP_12
according to langinfo.h) was considered to be of type "word" according to the
test I noted above,
     if (__builtin_expect (_nl_value_types[category][cnt] == word, 0))
so, regardless of whether this test was referencing the static array of
categories or some trickily-loaded dynamic array, it seems incorrect that the
testcase is accessing that value as though it was a string pointer.

I would add that it seems undesirable to me to resort to this kind of trickery
of accessing dynamically-loaded areas as though they were static, as it makes it
hard to debug with a conventional debugger.
Comment 2 Ulrich Drepper 2004-09-26 05:49:34 UTC
Strange, I never saw any crash.  But there surely is something wrong.

I think I got it fixed in the current CVS code.  Please test.  In case you still
see problem, reopen the bug.
Comment 3 John Lumby 2004-10-10 19:47:09 UTC
Thanks - that fixed it.
Comment 4 John Lumby 2004-10-10 19:50:07 UTC
Subject: RE:  localedata: tests-mbwc/tst_iswalnum segfaults during make che

Thanks Ulrich - yes, that fixed it.
----Original Message Follows----
From: "drepper at redhat dot com" <sourceware-bugzilla@sources.redhat.com>
Reply-To: sourceware-bugzilla@sources.redhat.com
To: johnlumby@hotmail.com
Subject: [Bug libc/356] localedata: tests-mbwc/tst_iswalnum segfaults during 
make check
Date: 26 Sep 2004 05:49:35 -0000

------- Additional Comments From drepper at redhat dot com  2004-09-26 05:49 
Strange, I never saw any crash.  But there surely is something wrong.

I think I got it fixed in the current CVS code.  Please test.  In case you 
see problem, reopen the bug.

            What    |Removed                     |Added
              Status|NEW                         |RESOLVED
          Resolution|                            |FIXED


------- You are receiving this mail because: -------
You reported the bug, or are watching the reporter.

Take advantage of powerful junk e-mail filters built on patented Microsoft® 
SmartScreen Technology. 
  Start enjoying all the benefits of MSN® Premium right now and get the 
first two months FREE*.