musl - musl - an implementation of the standard library for Linux-based systems (original) (raw)
| author | Rich Felker dalias@aerifal.cx | 2025-02-12 17:06:30 -0500 |
|---|---|---|
| committer | Rich Felker dalias@aerifal.cx | 2025-02-12 17:06:30 -0500 |
| commit | c47ad25ea3b484e10326f933e927c0bc8cded3da (patch) | |
| tree | 2c1d63ea8a44fdba4477fcb505ab3a357a20bb08 | |
| parent | 4c4f15dae57125e5b65b9690901384ae501d38e2 (diff) | |
| download | musl-master.tar.gz |
iconv: harden UTF-8 output code path against input decoder bugsHEADmaster
the UTF-8 output code was written assuming an invariant that iconv's decoders only emit valid Unicode Scalar Values which wctomb can encode successfully, thereby always returning a value between 1 and 4. if this invariant is not satisfied, wctomb returns (size_t)-1, and the subsequent adjustments to the output buffer pointer and remaining output byte count overflow, moving the output position backwards, potentially past the beginning of the buffer, without storing any bytes.
| -rw-r--r-- | src/locale/iconv.c | 4 |
|---|
1 files changed, 4 insertions, 0 deletions
diff --git a/src/locale/iconv.c b/src/locale/iconv.c
index 008c93f0..52178950 100644
--- a/src/locale/iconv.c
+++ b/src/locale/iconv.c
@@ -545,6 +545,10 @@ size_t iconv(iconv_t cd, char **restrict in, size_t *restrict inb, char **restri
if (*outb < k) goto toobig;
memcpy(*out, tmp, k);
} else k = wctomb_utf8(*out, c);
+ /* This failure condition should be unreachable, but
+ * is included to prevent decoder bugs from translating
+ * into advancement outside the output buffer range. */
+ if (k>4) goto ilseq;
*out += k;
*outb -= k;
break;