From 83ff55dcd7fc7c3356d7b2d3f67ec99970728d9b Mon Sep 17 00:00:00 2001
From: Richard Lowe <richlowe@richlowe.net>
Date: Fri, 21 Nov 2014 16:10:56 -0500
Subject: [PATCH] 5366 strcoll_l may destroy its arguments, then crash Reviewed
 by: Garrett D'Amore <garrett@damore.org> Reviewed by: Robert Mustacchi
 <rm@joyent.com> Approved by: Dan McDonald <danmcd@omniti.com>

---
 usr/src/lib/libc/port/locale/mbstowcs.c | 4 +---
 usr/src/lib/libc/port/locale/strcoll.c  | 7 ++-----
 2 files changed, 3 insertions(+), 8 deletions(-)

diff --git a/usr/src/lib/libc/port/locale/mbstowcs.c b/usr/src/lib/libc/port/locale/mbstowcs.c
index 1e853f2682..6700ec772d 100644
--- a/usr/src/lib/libc/port/locale/mbstowcs.c
+++ b/usr/src/lib/libc/port/locale/mbstowcs.c
@@ -39,11 +39,9 @@ size_t
 mbstowcs_l(wchar_t *_RESTRICT_KYWD pwcs, const char *_RESTRICT_KYWD s,
     size_t n, locale_t loc)
 {
-	static const mbstate_t initial = { 0 };
-	mbstate_t mbs;
+	mbstate_t mbs = { 0 };
 	const char *sp;
 
-	mbs = initial;
 	sp = s;
 	return (loc->ctype->lc_mbsnrtowcs(pwcs, &sp, ULONG_MAX, n, &mbs));
 }
diff --git a/usr/src/lib/libc/port/locale/strcoll.c b/usr/src/lib/libc/port/locale/strcoll.c
index 55cf459215..1aaace6e36 100644
--- a/usr/src/lib/libc/port/locale/strcoll.c
+++ b/usr/src/lib/libc/port/locale/strcoll.c
@@ -55,9 +55,6 @@ strcoll_l(const char *s1, const char *s2, locale_t loc)
 	size_t sz1, sz2;
 	const struct lc_collate *lcc = loc->collate;
 
-	mbstate_t mbs1 = { 0 };	/* initial states */
-	mbstate_t mbs2 = { 0 };
-
 	if (lcc->lc_is_posix)
 		return (strcmp(s1, s2));
 
@@ -89,10 +86,10 @@ strcoll_l(const char *s1, const char *s2, locale_t loc)
 			goto error;
 	}
 
-	if ((mbsrtowcs_l(w1, &s1, sz1, &mbs1, loc)) == (size_t)-1)
+	if ((mbstowcs_l(w1, s1, sz1, loc)) == (size_t)-1)
 		goto error;
 
-	if ((mbsrtowcs_l(w2, &s2, sz2, &mbs2, loc)) == (size_t)-1)
+	if ((mbstowcs_l(w2, s2, sz2, loc)) == (size_t)-1)
 		goto error;
 
 	ret = wcscoll_l(w1, w2, loc);
-- 
2.11.4.GIT