From patchwork Fri Apr 1 06:12:07 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Dmitry Chestnyh X-Patchwork-Id: 52552 Return-Path: X-Original-To: patchwork@sourceware.org Delivered-To: patchwork@sourceware.org Received: from server2.sourceware.org (localhost [IPv6:::1]) by sourceware.org (Postfix) with ESMTP id 186EF3945C38 for ; Fri, 1 Apr 2022 06:12:22 +0000 (GMT) X-Original-To: libc-alpha@sourceware.org Delivered-To: libc-alpha@sourceware.org Received: from mxout04.lancloud.ru (mxout04.lancloud.ru [45.84.86.114]) by sourceware.org (Postfix) with ESMTPS id 8E0F13858C53 for ; Fri, 1 Apr 2022 06:12:09 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.1 sourceware.org 8E0F13858C53 Authentication-Results: sourceware.org; dmarc=none (p=none dis=none) header.from=omp.ru Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=omp.ru Received: from LanCloud DKIM-Filter: OpenDKIM Filter v2.11.0 mxout04.lancloud.ru 52F1F20C0A40 Received: from LanCloud Received: from LanCloud Received: from LanCloud From: Dmitry Chestnyh To: Subject: [PATCH] [iconv]. Fix possible array out of bounds. Date: Fri, 1 Apr 2022 09:12:07 +0300 Message-ID: <20220401061207.510524-1-d.chestnyh@omp.ru> X-Mailer: git-send-email 2.25.1 MIME-Version: 1.0 X-Originating-IP: [192.168.11.198] X-ClientProxiedBy: LFEXT01.lancloud.ru (fd00:f066::141) To LFEX1912.lancloud.ru (fd00:f066::166) X-Spam-Status: No, score=-13.9 required=5.0 tests=BAYES_00, GIT_PATCH_0, KAM_DMARC_STATUS, SPF_HELO_NONE, SPF_PASS, TXREP, T_SCC_BODY_TEXT_LINE, UNPARSEABLE_RELAY autolearn=ham autolearn_force=no version=3.4.4 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on server2.sourceware.org X-BeenThere: libc-alpha@sourceware.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Libc-alpha mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Dmitry Chestnyh Errors-To: libc-alpha-bounces+patchwork=sourceware.org@sourceware.org Sender: "Libc-alpha" `sizeof(state->__value)` is 4 both on 32 and 64 bit platforms. So if we reach the situation of == at this point then we can access `bytebuf` whose size is usually 4 with index 4. --- iconv/loop.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/iconv/loop.c b/iconv/loop.c index f8727a637a..28a9c87e93 100644 --- a/iconv/loop.c +++ b/iconv/loop.c @@ -391,7 +391,7 @@ SINGLE(LOOPFCT) (struct __gconv_step *step, UNPACK_BYTES # else /* Add the bytes from the state to the input buffer. */ - assert ((state->__count & 7) <= sizeof (state->__value)); + assert ((state->__count & 7) < sizeof (state->__value)); for (inlen = 0; inlen < (size_t) (state->__count & 7); ++inlen) bytebuf[inlen] = state->__value.__wchb[inlen]; # endif