0001-iconv-fix-erroneous-input-validation-in-EUC-KR-decod.patch (1396B)
1 >From e5adcd97b5196e29991b524237381a0202a60659 Mon Sep 17 00:00:00 2001 2 From: Rich Felker <dalias@aerifal.cx> 3 Date: Sun, 9 Feb 2025 10:07:19 -0500 4 Subject: [PATCH] iconv: fix erroneous input validation in EUC-KR decoder 5 6 as a result of incorrect bounds checking on the lead byte being 7 decoded, certain invalid inputs which should produce an encoding 8 error, such as "\xc8\x41", instead produced out-of-bounds loads from 9 the ksc table. 10 11 in a worst case, the loaded value may not be a valid unicode scalar 12 value, in which case, if the output encoding was UTF-8, wctomb would 13 return (size_t)-1, causing an overflow in the output pointer and 14 remaining buffer size which could clobber memory outside of the output 15 buffer. 16 17 bug report was submitted in private by Nick Wellnhofer on account of 18 potential security implications. 19 --- 20 src/locale/iconv.c | 2 +- 21 1 file changed, 1 insertion(+), 1 deletion(-) 22 23 diff --git a/src/locale/iconv.c b/src/locale/iconv.c 24 index 9605c8e9..008c93f0 100644 25 --- a/src/locale/iconv.c 26 +++ b/src/locale/iconv.c 27 @@ -502,7 +502,7 @@ size_t iconv(iconv_t cd, char **restrict in, size_t *restrict inb, char **restri 28 if (c >= 93 || d >= 94) { 29 c += (0xa1-0x81); 30 d += 0xa1; 31 - if (c >= 93 || c>=0xc6-0x81 && d>0x52) 32 + if (c > 0xc6-0x81 || c==0xc6-0x81 && d>0x52) 33 goto ilseq; 34 if (d-'A'<26) d = d-'A'; 35 else if (d-'a'<26) d = d-'a'+26; 36 -- 37 2.21.0 38 39