diff options
| author | Rich Felker <dalias@aerifal.cx> | 2025-02-09 10:07:19 -0500 |
|---|---|---|
| committer | Rich Felker <dalias@aerifal.cx> | 2025-02-09 10:07:19 -0500 |
| commit | e5adcd97b5196e29991b524237381a0202a60659 (patch) | |
| tree | c3b8778088d40c2e50833ee16d6b613eea71e5df | |
| parent | 5e594aeabf331ae0abb380c5fa58e5348b2b0148 (diff) | |
| download | musl-e5adcd97b5196e29991b524237381a0202a60659.tar.gz | |
iconv: fix erroneous input validation in EUC-KR decoder
as a result of incorrect bounds checking on the lead byte being
decoded, certain invalid inputs which should produce an encoding
error, such as "\xc8\x41", instead produced out-of-bounds loads from
the ksc table.
in a worst case, the loaded value may not be a valid unicode scalar
value, in which case, if the output encoding was UTF-8, wctomb would
return (size_t)-1, causing an overflow in the output pointer and
remaining buffer size which could clobber memory outside of the output
buffer.
bug report was submitted in private by Nick Wellnhofer on account of
potential security implications.
| -rw-r--r-- | src/locale/iconv.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/src/locale/iconv.c b/src/locale/iconv.c index 9605c8e9..008c93f0 100644 --- a/src/locale/iconv.c +++ b/src/locale/iconv.c @@ -502,7 +502,7 @@ size_t iconv(iconv_t cd, char **restrict in, size_t *restrict inb, char **restri if (c >= 93 || d >= 94) { c += (0xa1-0x81); d += 0xa1; - if (c >= 93 || c>=0xc6-0x81 && d>0x52) + if (c > 0xc6-0x81 || c==0xc6-0x81 && d>0x52) goto ilseq; if (d-'A'<26) d = d-'A'; else if (d-'a'<26) d = d-'a'+26; |