0003-iconv-fix-erroneous-input-validation-in-EUC-KR-decod.patch (1394B)
- From 68480ab0b8c0477929f92387a8880d941917df49 Mon Sep 17 00:00:00 2001
- From: Rich Felker <dalias@aerifal.cx>
- Date: Sun, 9 Feb 2025 10:07:19 -0500
- Subject: [PATCH] iconv: fix erroneous input validation in EUC-KR decoder
- as a result of incorrect bounds checking on the lead byte being
- decoded, certain invalid inputs which should produce an encoding
- error, such as "\xc8\x41", instead produced out-of-bounds loads from
- the ksc table.
- in a worst case, the loaded value may not be a valid unicode scalar
- value, in which case, if the output encoding was UTF-8, wctomb would
- return (size_t)-1, causing an overflow in the output pointer and
- remaining buffer size which could clobber memory outside of the output
- buffer.
- bug report was submitted in private by Nick Wellnhofer on account of
- potential security implications.
- ---
- src/locale/iconv.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
- diff --git a/src/locale/iconv.c b/src/locale/iconv.c
- index 175def1c..25743a20 100644
- --- a/src/locale/iconv.c
- +++ b/src/locale/iconv.c
- @@ -495,7 +495,7 @@ size_t iconv(iconv_t cd, char **restrict in, size_t *restrict inb, char **restri
- if (c >= 93 || d >= 94) {
- c += (0xa1-0x81);
- d += 0xa1;
- - if (c >= 93 || c>=0xc6-0x81 && d>0x52)
- + if (c > 0xc6-0x81 || c==0xc6-0x81 && d>0x52)
- goto ilseq;
- if (d-'A'<26) d = d-'A';
- else if (d-'a'<26) d = d-'a'+26;
- --
- 2.45.2