Fix buffer overrun in EUC-KR conversion module (bug 24973)
Commit Message
The byte 0xfe as input to the EUC-KR conversion denotes a user-defined
area and is not allowed. The from_euc_kr function used to skip two bytes
when told to skip over the invalid byte, potentially running over the
buffer end.
[BZ #24973]
* iconvdata/euc-kr.c (BODY for FROM_LOOP): Skip only one byte when
encountering 0xfe.
* iconv/Makefile (tests): Add tst-iconv8.
* iconv/tst-iconv8.c: New file.
---
iconv/Makefile | 2 +-
iconv/tst-iconv8.c | 49 ++++++++++++++++++++++++++++++++++++++++++++++
iconvdata/euc-kr.c | 2 +-
3 files changed, 51 insertions(+), 2 deletions(-)
create mode 100644 iconv/tst-iconv8.c
Comments
On 09/09/2019 12:58, Andreas Schwab wrote:
> diff --git a/iconvdata/euc-kr.c b/iconvdata/euc-kr.c
> index 379414c426..167a554719 100644
> --- a/iconvdata/euc-kr.c
> +++ b/iconvdata/euc-kr.c
> @@ -83,7 +83,7 @@ euckr_from_ucs4 (uint32_t ch, unsigned char *cp)
> /* 0xfe(->0x7e : row 94) and 0xc9(->0x59 : row 41) are \
> user-defined areas. */ \
> else if (__builtin_expect (ch == 0xa0, 0) \
> - || __builtin_expect (ch > 0xfe, 0) \
> + || __builtin_expect (ch >= 0xfe, 0) \
> || __builtin_expect (ch == 0xc9, 0)) \
> { \
> /* This is illegal. */ \
>
We should aim to use __glibc_{un}likely for new code.
@@ -44,7 +44,7 @@ CFLAGS-linereader.c += -DNO_TRANSLITERATION
CFLAGS-simple-hash.c += -I../locale
tests = tst-iconv1 tst-iconv2 tst-iconv3 tst-iconv4 tst-iconv5 tst-iconv6 \
- tst-iconv7 tst-iconv-mt
+ tst-iconv7 tst-iconv8 tst-iconv-mt
others = iconv_prog iconvconfig
install-others-programs = $(inst_bindir)/iconv
new file mode 100644
@@ -0,0 +1,49 @@
+/* Test EUC-KR module
+ Copyright (C) 2019 Free Software Foundation, Inc.
+ This file is part of the GNU C Library.
+
+ The GNU C Library is free software; you can redistribute it and/or
+ modify it under the terms of the GNU Lesser General Public
+ License as published by the Free Software Foundation; either
+ version 2.1 of the License, or (at your option) any later version.
+
+ The GNU C Library is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ Lesser General Public License for more details.
+
+ You should have received a copy of the GNU Lesser General Public
+ License along with the GNU C Library; if not, see
+ <https://www.gnu.org/licenses/>. */
+
+/* Derived from BZ #24973 */
+#include <errno.h>
+#include <iconv.h>
+#include <stdio.h>
+#include <support/check.h>
+
+static int
+do_test (void)
+{
+ iconv_t cd = iconv_open ("UTF-8//IGNORE", "EUC-KR");
+ TEST_VERIFY_EXIT (cd != (iconv_t) -1);
+
+ /* 0xfe (->0x7e : row 94) is a user-defined area. It is not allowed and
+ should be skipped over due to //IGNORE. */
+ char input[2] = { '\0', '\xfe' };
+ char *inptr = input;
+ size_t insize = sizeof (input);
+ char output[4];
+ char *outptr = output;
+ size_t outsize = sizeof (output);
+
+ /* This used to crash due to buffer overrun. */
+ TEST_VERIFY (iconv (cd, &inptr, &insize, &outptr, &outsize) == (size_t) -1);
+ TEST_VERIFY (errno == EILSEQ);
+
+ TEST_VERIFY_EXIT (iconv_close (cd) != -1);
+
+ return 0;
+}
+
+#include <support/test-driver.c>
@@ -83,7 +83,7 @@ euckr_from_ucs4 (uint32_t ch, unsigned char *cp)
/* 0xfe(->0x7e : row 94) and 0xc9(->0x59 : row 41) are \
user-defined areas. */ \
else if (__builtin_expect (ch == 0xa0, 0) \
- || __builtin_expect (ch > 0xfe, 0) \
+ || __builtin_expect (ch >= 0xfe, 0) \
|| __builtin_expect (ch == 0xc9, 0)) \
{ \
/* This is illegal. */ \