public inbox for glibc-cvs@sourceware.org
help / color / mirror / Atom feed
* [glibc/arm/morello/main] Fix off-by-one OOB write in iconv/tst-iconv-mt
@ 2022-10-27 13:49 Szabolcs Nagy
0 siblings, 0 replies; 2+ messages in thread
From: Szabolcs Nagy @ 2022-10-27 13:49 UTC (permalink / raw)
To: glibc-cvs
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=dd9ec10913da97c0a5b64f5fd9ac195a61ef13b1
commit dd9ec10913da97c0a5b64f5fd9ac195a61ef13b1
Author: Szabolcs Nagy <szabolcs.nagy@arm.com>
Date: Mon Sep 26 15:38:19 2022 +0100
Fix off-by-one OOB write in iconv/tst-iconv-mt
The iconv buffer sizes must not include the \0 string terminator.
When \0 cannot be part of a valid character encoding glibc iconv
would copy it to the output as expected, but then later the explicit
output termination with *outbufpos = '\0' is out of bounds.
Diff:
---
iconv/tst-iconv-mt.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/iconv/tst-iconv-mt.c b/iconv/tst-iconv-mt.c
index daaebd273b..0320885c06 100644
--- a/iconv/tst-iconv-mt.c
+++ b/iconv/tst-iconv-mt.c
@@ -58,11 +58,11 @@ worker (void * arg)
char ascii[] = CONV_INPUT;
char *inbufpos = ascii;
- size_t inbytesleft = sizeof (CONV_INPUT);
+ size_t inbytesleft = sizeof (CONV_INPUT) - 1;
char *utf8 = xcalloc (sizeof (CONV_INPUT), 1);
char *outbufpos = utf8;
- size_t outbytesleft = sizeof (CONV_INPUT);
+ size_t outbytesleft = sizeof (CONV_INPUT) - 1;
if (tidx < TCOUNT/2)
/* The first half of the worker thread pool synchronize together here,
^ permalink raw reply [flat|nested] 2+ messages in thread
* [glibc/arm/morello/main] Fix off-by-one OOB write in iconv/tst-iconv-mt
@ 2022-11-23 14:39 Szabolcs Nagy
0 siblings, 0 replies; 2+ messages in thread
From: Szabolcs Nagy @ 2022-11-23 14:39 UTC (permalink / raw)
To: glibc-cvs
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=44d649d3c4051391782d8c893004dd7efec2ce70
commit 44d649d3c4051391782d8c893004dd7efec2ce70
Author: Szabolcs Nagy <szabolcs.nagy@arm.com>
Date: Mon Sep 26 15:38:19 2022 +0100
Fix off-by-one OOB write in iconv/tst-iconv-mt
The iconv buffer sizes must not include the \0 string terminator.
When \0 cannot be part of a valid character encoding glibc iconv
would copy it to the output as expected, but then later the explicit
output termination with *outbufpos = '\0' is out of bounds.
Diff:
---
iconv/tst-iconv-mt.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/iconv/tst-iconv-mt.c b/iconv/tst-iconv-mt.c
index daaebd273b..0320885c06 100644
--- a/iconv/tst-iconv-mt.c
+++ b/iconv/tst-iconv-mt.c
@@ -58,11 +58,11 @@ worker (void * arg)
char ascii[] = CONV_INPUT;
char *inbufpos = ascii;
- size_t inbytesleft = sizeof (CONV_INPUT);
+ size_t inbytesleft = sizeof (CONV_INPUT) - 1;
char *utf8 = xcalloc (sizeof (CONV_INPUT), 1);
char *outbufpos = utf8;
- size_t outbytesleft = sizeof (CONV_INPUT);
+ size_t outbytesleft = sizeof (CONV_INPUT) - 1;
if (tidx < TCOUNT/2)
/* The first half of the worker thread pool synchronize together here,
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2022-11-23 14:39 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-10-27 13:49 [glibc/arm/morello/main] Fix off-by-one OOB write in iconv/tst-iconv-mt Szabolcs Nagy
2022-11-23 14:39 Szabolcs Nagy
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).