0002-iconv-harden-UTF-8-output-code-path-against-input-de.patch (1371B)
1 >From c47ad25ea3b484e10326f933e927c0bc8cded3da Mon Sep 17 00:00:00 2001 2 From: Rich Felker <dalias@aerifal.cx> 3 Date: Wed, 12 Feb 2025 17:06:30 -0500 4 Subject: [PATCH] iconv: harden UTF-8 output code path against input decoder 5 bugs 6 7 the UTF-8 output code was written assuming an invariant that iconv's 8 decoders only emit valid Unicode Scalar Values which wctomb can encode 9 successfully, thereby always returning a value between 1 and 4. 10 11 if this invariant is not satisfied, wctomb returns (size_t)-1, and the 12 subsequent adjustments to the output buffer pointer and remaining 13 output byte count overflow, moving the output position backwards, 14 potentially past the beginning of the buffer, without storing any 15 bytes. 16 --- 17 src/locale/iconv.c | 4 ++++ 18 1 file changed, 4 insertions(+) 19 20 diff --git a/src/locale/iconv.c b/src/locale/iconv.c 21 index 008c93f0..52178950 100644 22 --- a/src/locale/iconv.c 23 +++ b/src/locale/iconv.c 24 @@ -545,6 +545,10 @@ size_t iconv(iconv_t cd, char **restrict in, size_t *restrict inb, char **restri 25 if (*outb < k) goto toobig; 26 memcpy(*out, tmp, k); 27 } else k = wctomb_utf8(*out, c); 28 + /* This failure condition should be unreachable, but 29 + * is included to prevent decoder bugs from translating 30 + * into advancement outside the output buffer range. */ 31 + if (k>4) goto ilseq; 32 *out += k; 33 *outb -= k; 34 break; 35 -- 36 2.21.0 37 38 39