Print this page
5366 strcoll_l may destroy its arguments, then crash

*** 53,65 **** wchar_t *t1 = NULL, *t2 = NULL; wchar_t *w1 = NULL, *w2 = NULL; size_t sz1, sz2; const struct lc_collate *lcc = loc->collate; - mbstate_t mbs1 = { 0 }; /* initial states */ - mbstate_t mbs2 = { 0 }; - if (lcc->lc_is_posix) return (strcmp(s1, s2)); sz1 = strlen(s1) + 1; sz2 = strlen(s2) + 1; --- 53,62 ----
*** 87,100 **** } else { if ((w2 = alloca(sz2 * sizeof (wchar_t))) == NULL) goto error; } ! if ((mbsrtowcs_l(w1, &s1, sz1, &mbs1, loc)) == (size_t)-1) goto error; ! if ((mbsrtowcs_l(w2, &s2, sz2, &mbs2, loc)) == (size_t)-1) goto error; ret = wcscoll_l(w1, w2, loc); if (t1) free(t1); --- 84,97 ---- } else { if ((w2 = alloca(sz2 * sizeof (wchar_t))) == NULL) goto error; } ! if ((mbstowcs_l(w1, s1, sz1, loc)) == (size_t)-1) goto error; ! if ((mbstowcs_l(w2, s2, sz2, loc)) == (size_t)-1) goto error; ret = wcscoll_l(w1, w2, loc); if (t1) free(t1);