From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 15457 invoked by alias); 29 Aug 2014 12:06:19 -0000 Mailing-List: contact glibc-bugs-help@sourceware.org; run by ezmlm Precedence: bulk List-Id: List-Subscribe: List-Post: List-Help: , Sender: glibc-bugs-owner@sourceware.org Received: (qmail 15420 invoked by uid 48); 29 Aug 2014 12:06:15 -0000 From: "azanella at linux dot vnet.ibm.com" To: glibc-bugs@sourceware.org Subject: [Bug localedata/17325] iconv from ccsid 937 to utf-8 access invalid memory Date: Fri, 29 Aug 2014 12:06:00 -0000 X-Bugzilla-Reason: CC X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: glibc X-Bugzilla-Component: localedata X-Bugzilla-Version: 2.20 X-Bugzilla-Keywords: X-Bugzilla-Severity: normal X-Bugzilla-Who: azanella at linux dot vnet.ibm.com X-Bugzilla-Status: NEW X-Bugzilla-Priority: P2 X-Bugzilla-Assigned-To: fweimer at redhat dot com X-Bugzilla-Target-Milestone: --- X-Bugzilla-Flags: security+ X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: 7bit X-Bugzilla-URL: http://sourceware.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-SW-Source: 2014-08/txt/msg00155.txt.bz2 https://sourceware.org/bugzilla/show_bug.cgi?id=17325 --- Comment #2 from Adhemerval Zanella Netto --- I must confess I didn't pay much attention in my first analysis. And I agree with your evaluation: if ch is 0xffff is a out of the bound access. I have changed the patch to check for 0xffff and also found other possible susceptible encodings. I have place the test with others sanity ones to simplify the code. What do you think? diff --git a/iconvdata/ibm1364.c b/iconvdata/ibm1364.c index 0b5484f..21f71bd 100644 --- a/iconvdata/ibm1364.c +++ b/iconvdata/ibm1364.c @@ -222,6 +222,7 @@ enum \ uint32_t res; \ if (__builtin_expect (ch < rp2->start, 0) \ + || __builtin_expect (ch == 0xffff, 0) \ || (res = DB_TO_UCS4[ch + rp2->idx], \ __builtin_expect (res, L'\1') == L'\0' && ch != '\0')) \ { \ diff --git a/iconvdata/ibm930.c b/iconvdata/ibm930.c index 768a444..72f4afe 100644 --- a/iconvdata/ibm930.c +++ b/iconvdata/ibm930.c @@ -165,6 +165,7 @@ enum \ if (__builtin_expect (rp2->start == 0xffff, 0) \ || __builtin_expect (ch < rp2->start, 0) \ + || __builtin_expect (ch == 0xffff, 0) \ || (res = __ibm930db_to_ucs4[ch + rp2->idx], \ __builtin_expect (res, L'\1') == L'\0' && ch != '\0')) \ { \ diff --git a/iconvdata/ibm932.c b/iconvdata/ibm932.c index f5dca59..57ac293 100644 --- a/iconvdata/ibm932.c +++ b/iconvdata/ibm932.c @@ -79,6 +79,7 @@ \ if (__builtin_expect (rp2 == NULL, 0) \ || __builtin_expect (ch < rp2->start, 0) \ + || __builtin_expect (ch == 0xffff, 0) \ || (res = __ibm932db_to_ucs4[ch + rp2->idx], \ __builtin_expect (res, '\1') == 0 && ch !=0)) \ { \ diff --git a/iconvdata/ibm933.c b/iconvdata/ibm933.c index f46dfb5..633ed8f 100644 --- a/iconvdata/ibm933.c +++ b/iconvdata/ibm933.c @@ -164,6 +164,7 @@ enum \ if (__builtin_expect (rp2 == NULL, 0) \ || __builtin_expect (ch < rp2->start, 0) \ + || __builtin_expect (ch == 0xffff, 0) \ || (res = __ibm933db_to_ucs4[ch + rp2->idx], \ __builtin_expect (res, L'\1') == L'\0' && ch != '\0')) \ { \ diff --git a/iconvdata/ibm935.c b/iconvdata/ibm935.c index a8e4e6c..d00edd0 100644 --- a/iconvdata/ibm935.c +++ b/iconvdata/ibm935.c @@ -164,6 +164,7 @@ enum \ if (__builtin_expect (rp2 == NULL, 0) \ || __builtin_expect (ch < rp2->start, 0) \ + || __builtin_expect (ch == 0xffff, 0) \ || (res = __ibm935db_to_ucs4[ch + rp2->idx], \ __builtin_expect (res, L'\1') == L'\0' && ch != '\0')) \ { \ diff --git a/iconvdata/ibm937.c b/iconvdata/ibm937.c index 239be61..6dff7a2 100644 --- a/iconvdata/ibm937.c +++ b/iconvdata/ibm937.c @@ -164,6 +164,7 @@ enum \ if (__builtin_expect (rp2 == NULL, 0) \ || __builtin_expect (ch < rp2->start, 0) \ + || __builtin_expect (ch == 0xffff, 0) \ || (res = __ibm937db_to_ucs4[ch + rp2->idx], \ __builtin_expect (res, L'\1') == L'\0' && ch != '\0')) \ { \ diff --git a/iconvdata/ibm939.c b/iconvdata/ibm939.c index 5d0db36..c46758c 100644 --- a/iconvdata/ibm939.c +++ b/iconvdata/ibm939.c @@ -164,6 +164,7 @@ enum \ if (__builtin_expect (rp2 == NULL, 0) \ || __builtin_expect (ch < rp2->start, 0) \ + || __builtin_expect (ch == 0xffff, 0) \ || (res = __ibm939db_to_ucs4[ch + rp2->idx], \ __builtin_expect (res, L'\1') == L'\0' && ch != '\0')) \ { \ diff --git a/iconvdata/ibm943.c b/iconvdata/ibm943.c index be0c14f..e2e8ef5 100644 --- a/iconvdata/ibm943.c +++ b/iconvdata/ibm943.c @@ -80,6 +80,7 @@ \ if (__builtin_expect (rp2 == NULL, 0) \ || __builtin_expect (ch < rp2->start, 0) \ + || __builtin_expect (ch == 0xffff, 0) \ || (res = __ibm943db_to_ucs4[ch + rp2->idx], \ __builtin_expect (res, '\1') == 0 && ch !=0)) \ { \ -- You are receiving this mail because: You are on the CC list for the bug.