public inbox for glibc-bugs@sourceware.org help / color / mirror / Atom feed
From: "azanella at linux dot vnet.ibm.com" <sourceware-bugzilla@sourceware.org> To: glibc-bugs@sourceware.org Subject: [Bug localedata/17325] New: iconv from ccsid 937 to utf-8 access invalid memory Date: Thu, 28 Aug 2014 17:46:00 -0000 [thread overview] Message-ID: <bug-17325-131@http.sourceware.org/bugzilla/> (raw) https://sourceware.org/bugzilla/show_bug.cgi?id=17325 Bug ID: 17325 Summary: iconv from ccsid 937 to utf-8 access invalid memory Product: glibc Version: 2.20 Status: NEW Severity: normal Priority: P2 Component: localedata Assignee: unassigned at sourceware dot org Reporter: azanella at linux dot vnet.ibm.com CC: libc-locales at sourceware dot org The testcase: -- #include <stdio.h> #include <stdlib.h> #include <iconv.h> void testIconv (const char *toEnc, char *to_conv, size_t to_conv_len) { iconv_t cd; char buf_input[13]; char buf_output[64]; size_t input_len = to_conv_len; sprintf (buf_input, "%s", to_conv); size_t available_len = sizeof (buf_output) - 1; size_t output_len = available_len; buf_output[sizeof (buf_output) - 1] = 0; cd = iconv_open ("UTF-8", toEnc); if (cd == (iconv_t) - 1) { fprintf (stderr, "%s: iconv_open (...) error\n", toEnc); return; } char *in_buf_ptr = &buf_input[0]; char *out_buf_ptr = &buf_output[0]; size_t iconv_val = iconv (cd, &in_buf_ptr, &input_len, &out_buf_ptr, &output_len); if (iconv_val == (size_t) - 1) { fprintf (stderr, "%s: iconv (...) error\n", toEnc); return; } size_t converted = available_len - output_len; if (converted > 0 && converted < sizeof (buf_output)) { buf_output[converted] = 0; fprintf (stderr, "%s: converted to %s\n", toEnc, buf_output); } int ret = iconv_close (cd); if (ret != 0) fprintf (stderr, "%s: iconv_close(...) err\n", toEnc); } int main () { testIconv ("IBM930", "\016\377\377\377\377\377\377\377\377\377\377\377", 12); testIconv ("IBM932", "\016\377\377\377\377\377\377\377\377\377\377\377", 12); testIconv ("IBM933", "\016\377\377\377\377\377\377\377\377\377\377\377", 12); testIconv ("IBM935", "\016\377\377\377\377\377\377\377\377\377\377\377", 12); testIconv ("IBM937", "\016\377\377\377\377\377\377\377\377\377\377\377", 12); testIconv ("IBM939", "\016\377\377\377\377\377\377\377\377\377\377\377", 12); testIconv ("IBM943", "\016\377\377\377\377\377\377\377\377\377\377\377", 12); return 0; } -- Produces segmentation faults due invalid memory access, more specifically, on GLIBC's code: * iconvdata/ibm937.c 161 ch = (ch * 0x100) + inptr[1]; \ 162 while (ch > rp2->end) \ 163 ++rp2; \ 164 \ 165 if (__builtin_expect (rp2 == NULL, 0) \ 166 || __builtin_expect (ch < rp2->start, 0) \ 167 || (res = __ibm937db_to_ucs4[ch + rp2->idx], \ 168 __builtin_expect (res, L'\1') == L'\0' && ch != '\0')) \ 169 { \ 170 /* This is an illegal character. */ \ 171 STANDARD_FROM_LOOP_ERR_HANDLER (2); \ 172 } \ 173 else \ 174 { \ 175 put32 (outptr, res); \ 176 outptr += 4; \ 177 } \ 178 inptr += 2; \ 179 } \ The 'res = __ibm937db_to_ucs4[ch + rp2->idx],' is accessing invalid memory due the array index value 'ch + rp2->idx' being out the bounds. A straightforward fix you emit an invalid error if the index is out of the bonds, as the following: diff --git a/iconvdata/ibm933.c b/iconvdata/ibm933.c index f46dfb5..6de73e8 100644 --- a/iconvdata/ibm933.c +++ b/iconvdata/ibm933.c @@ -164,6 +164,8 @@ enum \ if (__builtin_expect (rp2 == NULL, 0) \ || __builtin_expect (ch < rp2->start, 0) \ + || __builtin_expect ( \ + (ch + rp2->idx) > sizeof __ibm933db_to_ucs4, 0) \ || (res = __ibm933db_to_ucs4[ch + rp2->idx], \ __builtin_expect (res, L'\1') == L'\0' && ch != '\0')) \ { \ diff --git a/iconvdata/ibm935.c b/iconvdata/ibm935.c index a8e4e6c..dfb152d 100644 --- a/iconvdata/ibm935.c +++ b/iconvdata/ibm935.c @@ -164,6 +164,8 @@ enum \ if (__builtin_expect (rp2 == NULL, 0) \ || __builtin_expect (ch < rp2->start, 0) \ + || __builtin_expect ( \ + (ch + rp2->idx) > sizeof __ibm935db_to_ucs4, 0) \ || (res = __ibm935db_to_ucs4[ch + rp2->idx], \ __builtin_expect (res, L'\1') == L'\0' && ch != '\0')) \ { \ diff --git a/iconvdata/ibm937.c b/iconvdata/ibm937.c index 239be61..13f8b3c 100644 --- a/iconvdata/ibm937.c +++ b/iconvdata/ibm937.c @@ -164,6 +164,8 @@ enum \ if (__builtin_expect (rp2 == NULL, 0) \ || __builtin_expect (ch < rp2->start, 0) \ + || __builtin_expect ( \ + (ch + rp2->idx) > sizeof __ibm937db_to_ucs4, 0) \ || (res = __ibm937db_to_ucs4[ch + rp2->idx], \ __builtin_expect (res, L'\1') == L'\0' && ch != '\0')) \ { \ diff --git a/iconvdata/ibm939.c b/iconvdata/ibm939.c index 5d0db36..98299e9 100644 --- a/iconvdata/ibm939.c +++ b/iconvdata/ibm939.c @@ -164,6 +164,8 @@ enum \ if (__builtin_expect (rp2 == NULL, 0) \ || __builtin_expect (ch < rp2->start, 0) \ + || __builtin_expect ( \ + (ch + rp2->idx) > sizeof __ibm939db_to_ucs4, 0) \ || (res = __ibm939db_to_ucs4[ch + rp2->idx], \ __builtin_expect (res, L'\1') == L'\0' && ch != '\0')) \ { -- You are receiving this mail because: You are on the CC list for the bug.
next reply other threads:[~2014-08-28 17:46 UTC|newest] Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top 2014-08-28 17:46 azanella at linux dot vnet.ibm.com [this message] 2014-08-28 17:46 ` [Bug localedata/17325] " azanella at linux dot vnet.ibm.com 2014-08-29 8:40 ` fweimer at redhat dot com 2014-08-29 9:37 ` fweimer at redhat dot com 2014-08-29 9:57 ` fweimer at redhat dot com 2014-08-29 12:06 ` azanella at linux dot vnet.ibm.com 2014-08-29 12:18 ` fweimer at redhat dot com 2014-09-02 5:40 ` [Bug localedata/17325] iconv from ccsid 937 to utf-8 access invalid memory (CVE-2014-6040) fweimer at redhat dot com 2014-09-03 17:52 ` cvs-commit at gcc dot gnu.org 2014-09-03 17:56 ` fweimer at redhat dot com 2014-09-05 13:16 ` cvs-commit at gcc dot gnu.org 2015-01-16 16:59 ` cvs-commit at gcc dot gnu.org 2015-01-16 17:03 ` cvs-commit at gcc dot gnu.org 2015-01-29 18:47 ` cvs-commit at gcc dot gnu.org 2015-02-23 14:23 ` cvs-commit at gcc dot gnu.org 2015-02-23 15:02 ` cvs-commit at gcc dot gnu.org
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=bug-17325-131@http.sourceware.org/bugzilla/ \ --to=sourceware-bugzilla@sourceware.org \ --cc=glibc-bugs@sourceware.org \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).