5366 strcoll_l may destroy its arguments, then crash

          --- old/usr/src/lib/libc/port/locale/strcoll.c
          +++ new/usr/src/lib/libc/port/locale/strcoll.c

   1    1  /*
   2    2   * Copyright 2013 Garrett D'Amore <garrett@damore.org>
   3    3   * Copyright 2010 Nexenta Systems, Inc.  All rights reserved.
   4    4   * Copyright (c) 1995 Alex Tatmanjants <alex@elvisti.kiev.ua>
   5    5   *              at Electronni Visti IA, Kiev, Ukraine.
   6    6   *                      All rights reserved.
   7    7   *
   8    8   * Redistribution and use in source and binary forms, with or without
   9    9   * modification, are permitted provided that the following conditions
  10   10   * are met:
  11   11   * 1. Redistributions of source code must retain the above copyright
  12   12   *    notice, this list of conditions and the following disclaimer.
  13   13   * 2. Redistributions in binary form must reproduce the above copyright
  14   14   *    notice, this list of conditions and the following disclaimer in the
  15   15   *    documentation and/or other materials provided with the distribution.
  16   16   *
  17   17   * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND
  18   18   * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  19   19   * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
  20   20   * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR BE LIABLE
  21   21   * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
  22   22   * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
  23   23   * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
  24   24   * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
  25   25   * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
  26   26   * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  27   27   * SUCH DAMAGE.
  28   28   */
  29   29  
  30   30  #include "lint.h"
  31   31  #include "file64.h"
  32   32  #include <alloca.h>
  33   33  #include <stdlib.h>
  34   34  #include <string.h>
  35   35  #include <errno.h>
  36   36  #include <wchar.h>
  37   37  #include <xlocale.h>
  38   38  #include "localeimpl.h"
  39   39  #include "collate.h"
  40   40  
  41   41  #define ALLOCA_LIMIT    16
  42   42  
  43   43  /*
  44   44   * In order to properly handle multibyte locales, its easiet to just
  45   45   * convert to wide characters and then use wcscoll.  However if an
  46   46   * error occurs, we gracefully fall back to simple strcmp.  Caller
  47   47   * should check errno.

  48   48   */
  49   49  int
  50   50  strcoll_l(const char *s1, const char *s2, locale_t loc)
  51   51  {
  52   52          int ret;
  53   53          wchar_t *t1 = NULL, *t2 = NULL;
  54   54          wchar_t *w1 = NULL, *w2 = NULL;
  55   55          size_t sz1, sz2;
  56   56          const struct lc_collate *lcc = loc->collate;
  57   57  
  58      -        mbstate_t mbs1 = { 0 }; /* initial states */
  59      -        mbstate_t mbs2 = { 0 };
  60      -
  61   58          if (lcc->lc_is_posix)
  62   59                  return (strcmp(s1, s2));
  63   60  
  64   61          sz1 = strlen(s1) + 1;
  65   62          sz2 = strlen(s2) + 1;
  66   63  
  67   64          /*
  68   65           * Simple assumption: conversion to wide format is strictly
  69   66           * reducing, i.e. a single byte (or multibyte character)
  70   67           * cannot result in multiple wide characters.

  71   68           *
  72   69           * We gain a bit of performance by giving preference to alloca
  73   70           * for small string allocations.
  74   71           */
  75   72          if (sz1 > ALLOCA_LIMIT) {
  76   73                  if ((t1 = malloc(sz1 * sizeof (wchar_t))) == NULL)
  77   74                          goto error;
  78   75                  w1 = t1;
  79   76          } else {
  80   77                  if ((w1 = alloca(sz1 * sizeof (wchar_t))) == NULL)
  81   78                          goto error;

  82   79          }
  83   80          if (sz2 > ALLOCA_LIMIT) {
  84   81                  if ((t2 = malloc(sz2 * sizeof (wchar_t))) == NULL)
  85   82                          goto error;
  86   83                  w2 = t2;
  87   84          } else {
  88   85                  if ((w2 = alloca(sz2 * sizeof (wchar_t))) == NULL)
  89   86                          goto error;
  90   87          }
  91   88  
  92      -        if ((mbsrtowcs_l(w1, &s1, sz1, &mbs1, loc)) == (size_t)-1)
       89 +        if ((mbstowcs_l(w1, s1, sz1, loc)) == (size_t)-1)
  93   90                  goto error;
  94   91  
  95      -        if ((mbsrtowcs_l(w2, &s2, sz2, &mbs2, loc)) == (size_t)-1)
       92 +        if ((mbstowcs_l(w2, s2, sz2, loc)) == (size_t)-1)
  96   93                  goto error;
  97   94  
  98   95          ret = wcscoll_l(w1, w2, loc);
  99   96          if (t1)
 100   97                  free(t1);
 101   98          if (t2)
 102   99                  free(t2);
 103  100  
 104  101          return (ret);
 105  102  

 106  103  error:
 107  104          if (t1)
 108  105                  free(t1);
 109  106          if (t2)
 110  107                  free(t2);
 111  108          return (strcmp(s1, s2));
 112  109  }
 113  110  
 114  111  int
 115  112  strcoll(const char *s1, const char *s2)
 116  113  {
 117  114          return (strcoll_l(s1, s2, uselocale(NULL)));
 118  115  }

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX