We're updating the issue view to help you get more done. 

S0C4 abend in wcstombs on z/OS

Description

ICU version 4.8.1

I received an S0C4 abend calling u_strFromWCS() passing it a 179 whcar_t array with many embedded NUL characters. Abbreviated traceback looked like

wcstombs -0000029C CELHV003
_strFromWCS +0000026E *PATHNAM
u_strFromWCS_48_arsxh
+00000086 *PATHNAM

Two issues appeared. The first was that the cStack was being exhausted by the 179 characters. That is caused by the

remaining -= (pCSrc-pCSave);

That subtracts the cumulative length instead of just the length used by a given iteration. I changed that to

remaining -= (retVal + 1);

The second, and the one that causes the abend, was the fact that when remaining became negative, the buffer was not resized, subsequently causing a buffer overflow. That was caused by the

if(remaining < (nulLen * MB_CUR_MAX)){

coupled with the fact that MB_CUR_MAX on z/OS expands to produce a size_t result. That in turn caused the compiler to generate an unsigned comparison, and so the negative remaining was not detected. Changing that to

if(remaining < (int32_t) (nulLen * MB_CUR_MAX)){

generates a signed comparison, and causes the buffer to get reallocated

diff attached.

Environment

Status

Assignee

Dragan Besevic

Reporter

TracBot

Time Needed

Hours

tracCreated

Jul 25, 2012, 2:00 PM

tracOwner

dbesevic

tracProject

ICU4C

tracReporter

bwolf@63ab4e4d4e2312f9

tracStatus

accepted

tracWeeks

0.2

Components

Priority

assess