[iconv] . Fix possible array out of bounds.

Message ID 20220401061207.510524-1-d.chestnyh@omp.ru
State New
Headers
Series [iconv] . Fix possible array out of bounds. |

Checks

Context Check Description
dj/TryBot-apply_patch success Patch applied to master at the time it was sent
dj/TryBot-32bit success Build for i686
redhat-pt-bot/TryBot-still_applies warning Patch no longer applies to master

Commit Message

Dmitry Chestnyh April 1, 2022, 6:12 a.m. UTC
  `sizeof(state->__value)` is 4 both on 32 and 64 bit platforms.
So if we reach the situation of == at this point
then we can access `bytebuf` whose size is usually 4 with index 4.
---
 iconv/loop.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
  

Patch

diff --git a/iconv/loop.c b/iconv/loop.c
index f8727a637a..28a9c87e93 100644
--- a/iconv/loop.c
+++ b/iconv/loop.c
@@ -391,7 +391,7 @@  SINGLE(LOOPFCT) (struct __gconv_step *step,
   UNPACK_BYTES
 #  else
   /* Add the bytes from the state to the input buffer.  */
-  assert ((state->__count & 7) <= sizeof (state->__value));
+  assert ((state->__count & 7) < sizeof (state->__value));
   for (inlen = 0; inlen < (size_t) (state->__count & 7); ++inlen)
     bytebuf[inlen] = state->__value.__wchb[inlen];
 #  endif