public inbox for glibc-bugs@sourceware.org
help / color / mirror / Atom feed
* [Bug libc/17703] New: iconv(1) EFAULTs reading the second non-mmapable input
@ 2014-12-12 2:55 ricilake at gmail dot com
2014-12-12 11:56 ` [Bug libc/17703] " fweimer at redhat dot com
2015-08-27 22:25 ` [Bug locale/17703] " jsm28 at gcc dot gnu.org
0 siblings, 2 replies; 3+ messages in thread
From: ricilake at gmail dot com @ 2014-12-12 2:55 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=17703
Bug ID: 17703
Summary: iconv(1) EFAULTs reading the second non-mmapable input
Product: glibc
Version: 2.20
Status: NEW
Severity: normal
Priority: P2
Component: libc
Assignee: unassigned at sourceware dot org
Reporter: ricilake at gmail dot com
CC: drepper.fsp at gmail dot com
This bug report is the result of a StackOverflow question:
http://stackoverflow.com/questions/27432033/process-substitution-not-working-for-input-files-with-iconv/27435671#27435671
A minimal reproducible test (linux):
$ iconv -f ISO-8859-1 -t UTF-8 <(printf \\xa3) <(printf \\xa5)
£iconv: error while reading the input: Bad address
The error message is the result of an EFAULT during execution of read(2).
The bug is in the function process_fd in iconv/iconv_prog.c:
566 static char *inbuf = NULL;
567 static size_t maxlen = 0;
568 char *inptr = NULL;
inbuf is a temporary buffer used to read the entire input stream in the case
that an input argument cannot be mmap'd; maxlen is its current length. They are
declared static presumably to allow the buffer to be reused for subsequent
input streams. However, inptr (which is the point in the buffer at which to
read the next chunk of input) is always initialized to NULL, which is incorrect
if inbuf has been previously allocated; it should instead be initialized to
inbuf.
After the initialization, the function proceeds to attempt to fill inbuf up to
its current maximum size, maxlen:
569 size_t actlen = 0;
570
571 while (actlen < maxlen)
572 {
573 ssize_t n = read (fd, inptr, maxlen - actlen);
On the second invocation of process_fd, maxlen is not zero, so the loop is
entered and an attempt is made to read(2) into inptr, which is NULL. This
causes an EFAULT.
The fix, as indicated above:
568 char *inptr = inbuf;
--
You are receiving this mail because:
You are on the CC list for the bug.
>From glibc-bugs-return-26856-listarch-glibc-bugs=sources.redhat.com@sourceware.org Fri Dec 12 03:07:43 2014
Return-Path: <glibc-bugs-return-26856-listarch-glibc-bugs=sources.redhat.com@sourceware.org>
Delivered-To: listarch-glibc-bugs@sources.redhat.com
Received: (qmail 9666 invoked by alias); 12 Dec 2014 03:07:43 -0000
Mailing-List: contact glibc-bugs-help@sourceware.org; run by ezmlm
Precedence: bulk
List-Id: <glibc-bugs.sourceware.org>
List-Subscribe: <mailto:glibc-bugs-subscribe@sourceware.org>
List-Post: <mailto:glibc-bugs@sourceware.org>
List-Help: <mailto:glibc-bugs-help@sourceware.org>, <http://sourceware.org/lists.html#faqs>
Sender: glibc-bugs-owner@sourceware.org
Delivered-To: mailing list glibc-bugs@sourceware.org
Received: (qmail 9619 invoked by uid 48); 12 Dec 2014 03:07:37 -0000
From: "carlos at redhat dot com" <sourceware-bugzilla@sourceware.org>
To: glibc-bugs@sourceware.org
Subject: [Bug libc/17703] iconv(1) EFAULTs reading the second non-mmapable input
Date: Fri, 12 Dec 2014 03:07:00 -0000
X-Bugzilla-Reason: CC
X-Bugzilla-Type: changed
X-Bugzilla-Watch-Reason: None
X-Bugzilla-Product: glibc
X-Bugzilla-Component: libc
X-Bugzilla-Version: 2.20
X-Bugzilla-Keywords:
X-Bugzilla-Severity: normal
X-Bugzilla-Who: carlos at redhat dot com
X-Bugzilla-Status: NEW
X-Bugzilla-Priority: P2
X-Bugzilla-Assigned-To: unassigned at sourceware dot org
X-Bugzilla-Target-Milestone: ---
X-Bugzilla-Flags:
X-Bugzilla-Changed-Fields: cc
Message-ID: <bug-17703-131-mSJYwS5BKa@http.sourceware.org/bugzilla/>
In-Reply-To: <bug-17703-131@http.sourceware.org/bugzilla/>
References: <bug-17703-131@http.sourceware.org/bugzilla/>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 7bit
X-Bugzilla-URL: http://sourceware.org/bugzilla/
Auto-Submitted: auto-generated
MIME-Version: 1.0
X-SW-Source: 2014-12/txt/msg00099.txt.bz2
Content-length: 777
https://sourceware.org/bugzilla/show_bug.cgi?id\x17703
Carlos O'Donell <carlos at redhat dot com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |carlos at redhat dot com
--- Comment #1 from Carlos O'Donell <carlos at redhat dot com> ---
Good analysis. Needs a test case. See wordexp-tst.sh or globtest.sh for
examples on how to write test cases in shell. Note that iconv is iconv_prog in
the object directory.
See: https://sourceware.org/glibc/wiki/Contribution%20checklist
Once you have a patch together post to libc-alpha@sourceware.org for review.
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 3+ messages in thread
* [Bug libc/17703] iconv(1) EFAULTs reading the second non-mmapable input
2014-12-12 2:55 [Bug libc/17703] New: iconv(1) EFAULTs reading the second non-mmapable input ricilake at gmail dot com
@ 2014-12-12 11:56 ` fweimer at redhat dot com
2015-08-27 22:25 ` [Bug locale/17703] " jsm28 at gcc dot gnu.org
1 sibling, 0 replies; 3+ messages in thread
From: fweimer at redhat dot com @ 2014-12-12 11:56 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=17703
Florian Weimer <fweimer at redhat dot com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |fweimer at redhat dot com
Flags| |security-
--- Comment #2 from Florian Weimer <fweimer at redhat dot com> ---
iconvdata/run-iconv-test.sh has existing iconv shell tests.
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 3+ messages in thread
* [Bug locale/17703] iconv(1) EFAULTs reading the second non-mmapable input
2014-12-12 2:55 [Bug libc/17703] New: iconv(1) EFAULTs reading the second non-mmapable input ricilake at gmail dot com
2014-12-12 11:56 ` [Bug libc/17703] " fweimer at redhat dot com
@ 2015-08-27 22:25 ` jsm28 at gcc dot gnu.org
1 sibling, 0 replies; 3+ messages in thread
From: jsm28 at gcc dot gnu.org @ 2015-08-27 22:25 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=17703
Joseph Myers <jsm28 at gcc dot gnu.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Component|libc |locale
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2015-08-27 22:25 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2014-12-12 2:55 [Bug libc/17703] New: iconv(1) EFAULTs reading the second non-mmapable input ricilake at gmail dot com
2014-12-12 11:56 ` [Bug libc/17703] " fweimer at redhat dot com
2015-08-27 22:25 ` [Bug locale/17703] " jsm28 at gcc dot gnu.org
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).