Name: clC74495 Date: 07/26/99

=20
The function GetJavaProperties() in=20
src/solaris/native/java/lang/java_props_md.c accesses freed
memory, which may result in undefined behaviour.


The problem is that after the ``setlocale(LC_ALL, lc)'', the
data pointed to by lc is freed and may not be accessed any
more. To quote the solaris 7 setlocale(3C) manual page:

     The string returned by setlocale() is such that a subsequent
     call with that string and its associated category will
     restore that part of the program's locale. The string
     returned must not be modified by the program, *** but may be
     overwritten by a subsequent call to setlocale(). ***

I.e. setlocale(LC_ALL, lc) is the subsequent call to setlocale
that ''overwrites'' the string returned by the first=20
lc =3D setlocale(LC_CTYPE, "") call!

TEST CASE:
Here are my locale settings:

% locale
LANG=3Dde
LC_CTYPE=3Dde
LC_NUMERIC=3Dde
LC_TIME=3Dde
LC_COLLATE=3Dde
LC_MONETARY=3Dde
LC_MESSAGES=3Dde
LC_ALL=3D


The following piece of code is similar to what happens in
GetJavaProperties():

% cat loc.c
#include <locale.h>
main()
{
        char *lc;

        lc =3D setlocale(LC_CTYPE, "");
        if (lc =3D=3D NULL) {
                printf("lc =3D=3D NULL\n");
        } else {
                setlocale(LC_ALL, lc);
                printf("lc=3D%s\n", lc);
        }
}


% gcc -o loc loc.c
% loc
lc=3Dde

The code "seems" to run OK.

But various memory checkers disagree:

% env LD_PRELOAD=3Dwatchmalloc.so.1 loc
lc=3D

(Note: no output any more)

% env EF_PROTECT_FREE=3D1 LD_PRELOAD=3Defence.so loc

  Electric Fence 2.0.5 Copyright (C) 1987-1995 Bruce Perens.
Segmentation fault

(Note: Electric Fence immediatelly crashes on an illegal memory
access)
(Review ID: 88278)=20
======================================================================