39 lines
1.4 KiB
Diff
39 lines
1.4 KiB
Diff
|
From e5adcd97b5196e29991b524237381a0202a60659 Mon Sep 17 00:00:00 2001
|
||
|
|
From: Rich Felker <dalias@aerifal.cx>
|
||
|
|
Date: Sun, 9 Feb 2025 10:07:19 -0500
|
||
|
|
Subject: [PATCH] iconv: fix erroneous input validation in EUC-KR decoder
|
||
|
|
|
||
|
|
as a result of incorrect bounds checking on the lead byte being
|
||
|
|
decoded, certain invalid inputs which should produce an encoding
|
||
|
|
error, such as "\xc8\x41", instead produced out-of-bounds loads from
|
||
|
|
the ksc table.
|
||
|
|
|
||
|
|
in a worst case, the loaded value may not be a valid unicode scalar
|
||
|
|
value, in which case, if the output encoding was UTF-8, wctomb would
|
||
|
|
return (size_t)-1, causing an overflow in the output pointer and
|
||
|
|
remaining buffer size which could clobber memory outside of the output
|
||
|
|
buffer.
|
||
|
|
|
||
|
|
bug report was submitted in private by Nick Wellnhofer on account of
|
||
|
|
potential security implications.
|
||
|
|
---
|
||
|
|
src/locale/iconv.c | 2 +-
|
||
|
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
||
|
|
|
||
|
|
diff --git a/src/locale/iconv.c b/src/locale/iconv.c
|
||
|
|
index 9605c8e9..008c93f0 100644
|
||
|
|
--- a/src/locale/iconv.c
|
||
|
|
+++ b/src/locale/iconv.c
|
||
|
|
@@ -502,7 +502,7 @@ size_t iconv(iconv_t cd, char **restrict in, size_t *restrict inb, char **restri
|
||
|
|
if (c >= 93 || d >= 94) {
|
||
|
|
c += (0xa1-0x81);
|
||
|
|
d += 0xa1;
|
||
|
|
- if (c >= 93 || c>=0xc6-0x81 && d>0x52)
|
||
|
|
+ if (c > 0xc6-0x81 || c==0xc6-0x81 && d>0x52)
|
||
|
|
goto ilseq;
|
||
|
|
if (d-'A'<26) d = d-'A';
|
||
|
|
else if (d-'a'<26) d = d-'a'+26;
|
||
|
|
--
|
||
|
|
2.21.0
|
||
|
|
|