part1 of fixing #6599:

* protect against invocations of ctype-macros/-functions with negative
  character indices by mirroring the corresponding values at negative
  array indices (the legal access range of __ctype_b is now [-128..255])


git-svn-id: file:///srv/svn/repos/haiku/haiku/trunk@38708 a95241bf-73f2-0310-859d-f6bbb57e9c96

headers/private/libroot/locale/ICUCtypeData.h

@@ -33,13 +33,17 @@ public:
 
 private:
 			/*
-			 * the following arrays have 257 elements where the first is a
-			 * dummy element (containing the neutral/identity value) used when
-			 * the array is accessed as in 'isblank(EOF)' (i.e. with index -1).
+			 * The following arrays have 384 elements where the elements at
+			 * index -128..-2 mirror the elements at index 128..255 (to protect
+			 * against invocations of ctype macros with negative character
+			 * values).
+			 * The element at index -1 is a dummy element containing the
+			 * neutral/identity value used when the array is accessed as in
+			 * 'isblank(EOF)' (i.e. with index -1).
 			 */
-			unsigned short		fClassInfo[257];
-			int					fToLowerMap[257];
-			int					fToUpperMap[257];
+			unsigned short		fClassInfo[384];
+			int					fToLowerMap[384];
+			int					fToUpperMap[384];
 
 			LocaleCtypeDataBridge*	fDataBridge;
 };

headers/private/libroot/locale/PosixCtype.h

@@ -10,13 +10,16 @@ namespace BPrivate {
 
 
 /*
- * the following arrays have 257 elements where the first is a
- * dummy element (containing the neutral/identity value) used when
- * the array is accessed as in 'isblank(EOF)' (i.e. with index -1).
+ * The following arrays have 384 elements where the elements at index -128..-2
+ * mirror the elements at index 128..255 (to protect against invocations of
+ * ctype macros with negative character values).
+ * The element at index -1 is a dummy element containing the neutral/identity
+ * value used when the array is accessed as in 'isblank(EOF)' (i.e. with
+ * index -1).
  */
-extern const unsigned short gPosixClassInfo[257];
-extern const int gPosixToLowerMap[257];
-extern const int gPosixToUpperMap[257];
+extern const unsigned short gPosixClassInfo[384];
+extern const int gPosixToLowerMap[384];
+extern const int gPosixToUpperMap[384];
 
 
 }	// namespace BPrivate

src/system/libroot/add-ons/icu/ICUCtypeData.cpp

@@ -30,9 +30,9 @@ ICUCtypeData::~ICUCtypeData()
 void
 ICUCtypeData::Initialize(LocaleCtypeDataBridge* dataBridge)
 {
-	*dataBridge->addrOfClassInfoTable = &fClassInfo[1];
-	*dataBridge->addrOfToLowerTable = &fToLowerMap[1];
-	*dataBridge->addrOfToUpperTable = &fToUpperMap[1];
+	*dataBridge->addrOfClassInfoTable = &fClassInfo[128];
+	*dataBridge->addrOfToLowerTable = &fToLowerMap[128];
+	*dataBridge->addrOfToUpperTable = &fToUpperMap[128];
 	fDataBridge = dataBridge;
 }
 
@@ -97,9 +97,15 @@ ICUCtypeData::SetTo(const Locale& locale, const char* posixLocaleName)
 			if (U_SUCCESS(icuStatus))
 				toUpper = (unsigned char)buffer[0];
 		}
-		fClassInfo[i + 1] = classInfo;
-		fToLowerMap[i + 1] = toLower;
-		fToUpperMap[i + 1] = toUpper;
+		fClassInfo[i + 128] = classInfo;
+		fToLowerMap[i + 128] = toLower;
+		fToUpperMap[i + 128] = toUpper;
+		if (i >= 128 && i < 255) {
+			// mirror upper half at negative indices (except for -1 [=EOF])
+			fClassInfo[i - 128] = classInfo;
+			fToLowerMap[i - 128] = toLower;
+			fToUpperMap[i - 128] = toUpper;
+		}
 	}
 
 	return B_OK;

src/system/libroot/posix/locale/LocaleData.cpp

@@ -28,11 +28,30 @@ namespace BPrivate {
 
 
 /*
- * the following arrays have 257 elements where the first is a
- * dummy element (containing the neutral/identity value) used when
- * the array is accessed as in 'isblank(EOF)' (i.e. with index -1).
+ * The following arrays have 384 elements where the elements at index -128..-2
+ * mirror the elements at index 128..255 (to protect against invocations of
+ * ctype macros with negative character values).
+ * The element at index -1 is a dummy element containing the neutral/identity
+ * value used when the array is accessed as in 'isblank(EOF)' (i.e. with
+ * index -1).
  */
-const unsigned short gPosixClassInfo[257] = {
+const unsigned short gPosixClassInfo[384] = {
+	/*-128 */	0, 0, 0, 0, 0, 0, 0, 0,
+	/*-120 */	0, 0, 0, 0, 0, 0, 0, 0,
+	/*-112 */	0, 0, 0, 0, 0, 0, 0, 0,
+	/*-104 */	0, 0, 0, 0, 0, 0, 0, 0,
+	/* -96 */	0, 0, 0, 0, 0, 0, 0, 0,
+	/* -88 */	0, 0, 0, 0, 0, 0, 0, 0,
+	/* -80 */	0, 0, 0, 0, 0, 0, 0, 0,
+	/* -72 */	0, 0, 0, 0, 0, 0, 0, 0,
+	/* -64 */	0, 0, 0, 0, 0, 0, 0, 0,
+	/* -56 */	0, 0, 0, 0, 0, 0, 0, 0,
+	/* -48 */	0, 0, 0, 0, 0, 0, 0, 0,
+	/* -40 */	0, 0, 0, 0, 0, 0, 0, 0,
+	/* -32 */	0, 0, 0, 0, 0, 0, 0, 0,
+	/* -24 */	0, 0, 0, 0, 0, 0, 0, 0,
+	/* -16 */	0, 0, 0, 0, 0, 0, 0, 0,
+	/*  -8 */	0, 0, 0, 0, 0, 0, 0,
 	/*  -1 */   0,	// neutral value
 	/*   0 */	_IScntrl, _IScntrl, _IScntrl, _IScntrl, _IScntrl, _IScntrl, _IScntrl, _IScntrl,
 	/*   8 */	_IScntrl, _ISblank|_IScntrl|_ISspace, _IScntrl|_ISspace, _IScntrl|_ISspace, _IScntrl|_ISspace, _IScntrl|_ISspace, _IScntrl, _IScntrl,
@@ -68,7 +87,23 @@ const unsigned short gPosixClassInfo[257] = {
 	/* 248 */	0, 0, 0, 0, 0, 0, 0, 0
 };
 
-const int gPosixToLowerMap[257] = {
+const int gPosixToLowerMap[384] = {
+	/*-128 */	128, 129, 130, 131, 132, 133, 134, 135,
+	/*-120 */	136, 137, 138, 139, 140, 141, 142, 143,
+	/*-112 */	144, 145, 146, 147, 148, 149, 150, 151,
+	/*-104 */	152, 153, 154, 155, 156, 157, 158, 159,
+	/* -96 */	160, 161, 162, 163, 164, 165, 166, 167,
+	/* -88 */	168, 169, 170, 171, 172, 173, 174, 175,
+	/* -80 */	176, 177, 178, 179, 180, 181, 182, 183,
+	/* -72 */	184, 185, 186, 187, 188, 189, 190, 191,
+	/* -64 */	192, 193, 194, 195, 196, 197, 198, 199,
+	/* -56 */	200, 201, 202, 203, 204, 205, 206, 207,
+	/* -48 */	208, 209, 210, 211, 212, 213, 214, 215,
+	/* -40 */	216, 217, 218, 219, 220, 221, 222, 223,
+	/* -32 */	224, 225, 226, 227, 228, 229, 230, 231,
+	/* -24 */	232, 233, 234, 235, 236, 237, 238, 239,
+	/* -16 */	240, 241, 242, 243, 244, 245, 246, 247,
+	/*  -8 */	248, 249, 250, 251, 252, 253, 254,
 	/*  -1 */    -1,	// identity value
 	/*   0 */	  0,   1,   2,   3,   4,   5,   6,   7,
 	/*   8 */	  8,   9,  10,  11,  12,  13,  14,  15,
@@ -105,7 +140,23 @@ const int gPosixToLowerMap[257] = {
 };
 
 
-const int gPosixToUpperMap[257] = {
+const int gPosixToUpperMap[384] = {
+	/*-128 */	128, 129, 130, 131, 132, 133, 134, 135,
+	/*-120 */	136, 137, 138, 139, 140, 141, 142, 143,
+	/*-112 */	144, 145, 146, 147, 148, 149, 150, 151,
+	/*-104 */	152, 153, 154, 155, 156, 157, 158, 159,
+	/* -96 */	160, 161, 162, 163, 164, 165, 166, 167,
+	/* -88 */	168, 169, 170, 171, 172, 173, 174, 175,
+	/* -80 */	176, 177, 178, 179, 180, 181, 182, 183,
+	/* -72 */	184, 185, 186, 187, 188, 189, 190, 191,
+	/* -64 */	192, 193, 194, 195, 196, 197, 198, 199,
+	/* -56 */	200, 201, 202, 203, 204, 205, 206, 207,
+	/* -48 */	208, 209, 210, 211, 212, 213, 214, 215,
+	/* -40 */	216, 217, 218, 219, 220, 221, 222, 223,
+	/* -32 */	224, 225, 226, 227, 228, 229, 230, 231,
+	/* -24 */	232, 233, 234, 235, 236, 237, 238, 239,
+	/* -16 */	240, 241, 242, 243, 244, 245, 246, 247,
+	/*  -8 */	248, 249, 250, 251, 252, 253, 254,
 	/*  -1 */    -1,	// identity value
 	/*   0 */	  0,   1,   2,   3,   4,   5,   6,   7,
 	/*   8 */	  8,   9,  10,  11,  12,  13,  14,  15,
@@ -275,6 +326,6 @@ const char* gPosixLanginfo[_NL_LANGINFO_LAST] = {
 }	// namespace BPrivate
 
 
-const unsigned short* 	__ctype_b 		= &BPrivate::gPosixClassInfo[1];
-const int* 				__ctype_tolower = &BPrivate::gPosixToLowerMap[1];
-const int* 				__ctype_toupper = &BPrivate::gPosixToUpperMap[1];
+const unsigned short* 	__ctype_b 		= &BPrivate::gPosixClassInfo[128];
+const int* 				__ctype_tolower = &BPrivate::gPosixToLowerMap[128];
+const int* 				__ctype_toupper = &BPrivate::gPosixToUpperMap[128];

src/system/libroot/posix/locale/ctype.cpp

@@ -29,7 +29,7 @@
 int
 isalnum(int c)
 {
-	if (c >= 0 && c < 256)
+	if (c >= -128 && c < 256)
 		return __ctype_b[c] & (_ISupper | _ISlower | _ISdigit);
 
 	return 0;
@@ -39,7 +39,7 @@ isalnum(int c)
 int
 isalpha(int c)
 {
-	if (c >= 0 && c < 256)
+	if (c >= -128 && c < 256)
 		return __ctype_b[c] & (_ISupper | _ISlower);
 
 	return 0;
@@ -57,7 +57,7 @@ isascii(int c)
 int
 isblank(int c)
 {
-	if (c >= 0 && c < 256)
+	if (c >= -128 && c < 256)
 		return __ctype_b[c] & _ISblank;
 
 	return 0;
@@ -67,7 +67,7 @@ isblank(int c)
 int
 iscntrl(int c)
 {
-	if (c >= 0 && c < 256)
+	if (c >= -128 && c < 256)
 		return __ctype_b[c] & _IScntrl;
 
 	return 0;
@@ -77,7 +77,7 @@ iscntrl(int c)
 int
 isdigit(int c)
 {
-	if (c >= 0 && c < 256)
+	if (c >= -128 && c < 256)
 		return __ctype_b[c] & _ISdigit;
 
 	return 0;
@@ -87,7 +87,7 @@ isdigit(int c)
 int
 isgraph(int c)
 {
-	if (c >= 0 && c < 256)
+	if (c >= -128 && c < 256)
 		return __ctype_b[c] & _ISgraph;
 
 	return 0;
@@ -97,7 +97,7 @@ isgraph(int c)
 int
 islower(int c)
 {
-	if (c >= 0 && c < 256)
+	if (c >= -128 && c < 256)
 		return __ctype_b[c] & _ISlower;
 
 	return 0;
@@ -107,7 +107,7 @@ islower(int c)
 int
 isprint(int c)
 {
-	if (c >= 0 && c < 256)
+	if (c >= -128 && c < 256)
 		return __ctype_b[c] & _ISprint;
 
 	return 0;
@@ -117,7 +117,7 @@ isprint(int c)
 int
 ispunct(int c)
 {
-	if (c >= 0 && c < 256)
+	if (c >= -128 && c < 256)
 		return __ctype_b[c] & _ISpunct;
 
 	return 0;
@@ -127,7 +127,7 @@ ispunct(int c)
 int
 isspace(int c)
 {
-	if (c >= 0 && c < 256)
+	if (c >= -128 && c < 256)
 		return __ctype_b[c] & _ISspace;
 
 	return 0;
@@ -137,7 +137,7 @@ isspace(int c)
 int
 isupper(int c)
 {
-	if (c >= 0 && c < 256)
+	if (c >= -128 && c < 256)
 		return __ctype_b[c] & _ISupper;
 
 	return 0;
@@ -147,7 +147,7 @@ isupper(int c)
 int
 isxdigit(int c)
 {
-	if (c >= 0 && c < 256)
+	if (c >= -128 && c < 256)
 		return __ctype_b[c] & _ISxdigit;
 
 	return 0;
@@ -165,7 +165,7 @@ toascii(int c)
 int
 tolower(int c)
 {
-	if (c >= 0 && c < 256)
+	if (c >= -128 && c < 256)
 		return __ctype_tolower[c];
 
 	return c;
@@ -175,7 +175,7 @@ tolower(int c)
 int
 toupper(int c)
 {
-	if (c >= 0 && c < 256)
+	if (c >= -128 && c < 256)
 		return __ctype_toupper[c];
 
 	return c;