| 12345678910111213141516171819202122232425262728293031323334353637383940 |
- From c47ad25ea3b484e10326f933e927c0bc8cded3da Mon Sep 17 00:00:00 2001
- From: Rich Felker <dalias@aerifal.cx>
- Date: Wed, 12 Feb 2025 17:06:30 -0500
- Subject: [PATCH] iconv: harden UTF-8 output code path against input decoder
- bugs
- the UTF-8 output code was written assuming an invariant that iconv's
- decoders only emit valid Unicode Scalar Values which wctomb can encode
- successfully, thereby always returning a value between 1 and 4.
- if this invariant is not satisfied, wctomb returns (size_t)-1, and the
- subsequent adjustments to the output buffer pointer and remaining
- output byte count overflow, moving the output position backwards,
- potentially past the beginning of the buffer, without storing any
- bytes.
- Upstream: https://git.musl-libc.org/cgit/musl/commit/?id=c47ad25ea3b484e10326f933e927c0bc8cded3da
- Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
- ---
- src/locale/iconv.c | 4 ++++
- 1 file changed, 4 insertions(+)
- diff --git a/src/locale/iconv.c b/src/locale/iconv.c
- index 008c93f0..52178950 100644
- --- a/src/locale/iconv.c
- +++ b/src/locale/iconv.c
- @@ -545,6 +545,10 @@ size_t iconv(iconv_t cd, char **restrict in, size_t *restrict inb, char **restri
- if (*outb < k) goto toobig;
- memcpy(*out, tmp, k);
- } else k = wctomb_utf8(*out, c);
- + /* This failure condition should be unreachable, but
- + * is included to prevent decoder bugs from translating
- + * into advancement outside the output buffer range. */
- + if (k>4) goto ilseq;
- *out += k;
- *outb -= k;
- break;
- --
- 2.39.5
|
