From 66196c82a820c3d13c833f4c626afad1dacbfc75 Mon Sep 17 00:00:00 2001
From: emmett1 <emmett1.2miligrams@protonmail.com>
Date: Sat, 22 Feb 2025 02:36:20 +0800
Subject: musl: fix CVE-2025-26519

---
 repos/core/musl/.checksum                          |  2 ++
 ...rroneous-input-validation-in-EUC-KR-decod.patch | 39 ++++++++++++++++++++++
 ...n-UTF-8-output-code-path-against-input-de.patch | 39 ++++++++++++++++++++++
 repos/core/musl/abuild                             |  6 ++--
 repos/core/musl/patch                              |  0
 5 files changed, 84 insertions(+), 2 deletions(-)
 create mode 100644 repos/core/musl/0001-iconv-fix-erroneous-input-validation-in-EUC-KR-decod.patch
 create mode 100644 repos/core/musl/0002-iconv-harden-UTF-8-output-code-path-against-input-de.patch
 create mode 100644 repos/core/musl/patch

diff --git a/repos/core/musl/.checksum b/repos/core/musl/.checksum
index a8c6b33f..bff70281 100644
--- a/repos/core/musl/.checksum
+++ b/repos/core/musl/.checksum
@@ -1,3 +1,5 @@
+8471ed3317ec31cd92b0c6055407115bc7377aaad8da552ffbe6655871c9840b  0001-iconv-fix-erroneous-input-validation-in-EUC-KR-decod.patch
+18d1d243e0d7a479bc795d8af152d5f43b8f53f09da038d8e46ca2ac9207ecf4  0002-iconv-harden-UTF-8-output-code-path-against-input-de.patch
 936eb5830af322af38a1d08d02cc1d31ae95efdbc2e381b0e5fa6e91eebe693e  cdefs.h
 ae7b2598293d87cff4fc4e8bed5faabe486615ad7484a08d6dfea807786af895  elfutils-0.190-relr.patch
 676213e6d717200470f5f8b2c30c171e47e20eebfa669891afe43c514e1b72b5  getconf.1
diff --git a/repos/core/musl/0001-iconv-fix-erroneous-input-validation-in-EUC-KR-decod.patch b/repos/core/musl/0001-iconv-fix-erroneous-input-validation-in-EUC-KR-decod.patch
new file mode 100644
index 00000000..27949dc3
--- /dev/null
+++ b/repos/core/musl/0001-iconv-fix-erroneous-input-validation-in-EUC-KR-decod.patch
@@ -0,0 +1,39 @@
+>From e5adcd97b5196e29991b524237381a0202a60659 Mon Sep 17 00:00:00 2001
+From: Rich Felker <dalias@aerifal.cx>
+Date: Sun, 9 Feb 2025 10:07:19 -0500
+Subject: [PATCH] iconv: fix erroneous input validation in EUC-KR decoder
+
+as a result of incorrect bounds checking on the lead byte being
+decoded, certain invalid inputs which should produce an encoding
+error, such as "\xc8\x41", instead produced out-of-bounds loads from
+the ksc table.
+
+in a worst case, the loaded value may not be a valid unicode scalar
+value, in which case, if the output encoding was UTF-8, wctomb would
+return (size_t)-1, causing an overflow in the output pointer and
+remaining buffer size which could clobber memory outside of the output
+buffer.
+
+bug report was submitted in private by Nick Wellnhofer on account of
+potential security implications.
+---
+ src/locale/iconv.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/locale/iconv.c b/src/locale/iconv.c
+index 9605c8e9..008c93f0 100644
+--- a/src/locale/iconv.c
++++ b/src/locale/iconv.c
+@@ -502,7 +502,7 @@ size_t iconv(iconv_t cd, char **restrict in, size_t *restrict inb, char **restri
+ 			if (c >= 93 || d >= 94) {
+ 				c += (0xa1-0x81);
+ 				d += 0xa1;
+-				if (c >= 93 || c>=0xc6-0x81 && d>0x52)
++				if (c > 0xc6-0x81 || c==0xc6-0x81 && d>0x52)
+ 					goto ilseq;
+ 				if (d-'A'<26) d = d-'A';
+ 				else if (d-'a'<26) d = d-'a'+26;
+-- 
+2.21.0
+
+
diff --git a/repos/core/musl/0002-iconv-harden-UTF-8-output-code-path-against-input-de.patch b/repos/core/musl/0002-iconv-harden-UTF-8-output-code-path-against-input-de.patch
new file mode 100644
index 00000000..acb8a60a
--- /dev/null
+++ b/repos/core/musl/0002-iconv-harden-UTF-8-output-code-path-against-input-de.patch
@@ -0,0 +1,39 @@
+>From c47ad25ea3b484e10326f933e927c0bc8cded3da Mon Sep 17 00:00:00 2001
+From: Rich Felker <dalias@aerifal.cx>
+Date: Wed, 12 Feb 2025 17:06:30 -0500
+Subject: [PATCH] iconv: harden UTF-8 output code path against input decoder
+ bugs
+
+the UTF-8 output code was written assuming an invariant that iconv's
+decoders only emit valid Unicode Scalar Values which wctomb can encode
+successfully, thereby always returning a value between 1 and 4.
+
+if this invariant is not satisfied, wctomb returns (size_t)-1, and the
+subsequent adjustments to the output buffer pointer and remaining
+output byte count overflow, moving the output position backwards,
+potentially past the beginning of the buffer, without storing any
+bytes.
+---
+ src/locale/iconv.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/src/locale/iconv.c b/src/locale/iconv.c
+index 008c93f0..52178950 100644
+--- a/src/locale/iconv.c
++++ b/src/locale/iconv.c
+@@ -545,6 +545,10 @@ size_t iconv(iconv_t cd, char **restrict in, size_t *restrict inb, char **restri
+ 				if (*outb < k) goto toobig;
+ 				memcpy(*out, tmp, k);
+ 			} else k = wctomb_utf8(*out, c);
++			/* This failure condition should be unreachable, but
++			 * is included to prevent decoder bugs from translating
++			 * into advancement outside the output buffer range. */
++			if (k>4) goto ilseq;
+ 			*out += k;
+ 			*outb -= k;
+ 			break;
+-- 
+2.21.0
+
+
+
diff --git a/repos/core/musl/abuild b/repos/core/musl/abuild
index 201cbc58..9f9dacdc 100644
--- a/repos/core/musl/abuild
+++ b/repos/core/musl/abuild
@@ -1,6 +1,6 @@
 name=musl
 version=1.2.5
-release=1
+release=2
 source="https://www.musl-libc.org/releases/musl-$version.tar.gz
 	getconf.c
 	getconf.1
@@ -10,7 +10,9 @@ source="https://www.musl-libc.org/releases/musl-$version.tar.gz
 	tree.h
 	queue.h
 	cdefs.h
-	elfutils-0.190-relr.patch"
+	elfutils-0.190-relr.patch
+	0001-iconv-fix-erroneous-input-validation-in-EUC-KR-decod.patch
+	0002-iconv-harden-UTF-8-output-code-path-against-input-de.patch"
 keep_static=1
 
 build() {
diff --git a/repos/core/musl/patch b/repos/core/musl/patch
new file mode 100644
index 00000000..e69de29b
-- 
cgit v1.2.3