From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: by sourceware.org (Postfix, from userid 1944) id 53183385700B; Wed, 4 Oct 2023 07:33:57 +0000 (GMT) DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 53183385700B DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sourceware.org; s=default; t=1696404837; bh=5I9gkV7DamQ7lBEjFvso/17H8ZdGwWrZZd1KyFOAdqE=; h=From:To:Subject:Date:From; b=ECSmXtiuh69gSt2DAY+leC8kBi0O1IW/LDe/dRHT4aZBzzstKQl+n9wDpkjAxMy1t rHgmMN8EHu+SNNS5xYFjIgFxpEBMceAxctXyMxOTcYNs1sahn84nvjW/iUoxWSeWs9 V0yjh0ukO1U1vqaKDsZJrjBnkTs82o/7B/hk6t0g= Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit From: Szabolcs Nagy To: glibc-cvs@sourceware.org Subject: [glibc] Fix off-by-one OOB write in iconv/tst-iconv-mt X-Act-Checkin: glibc X-Git-Author: Szabolcs Nagy X-Git-Refname: refs/heads/master X-Git-Oldrev: 1056e5b4c3f2d90ed2b4a55f96add28da2f4c8fa X-Git-Newrev: 0a520f28ffc8820d46074a71323db4c9652873be Message-Id: <20231004073357.53183385700B@sourceware.org> Date: Wed, 4 Oct 2023 07:33:57 +0000 (GMT) List-Id: https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=0a520f28ffc8820d46074a71323db4c9652873be commit 0a520f28ffc8820d46074a71323db4c9652873be Author: Szabolcs Nagy Date: Mon Sep 26 15:38:19 2022 +0100 Fix off-by-one OOB write in iconv/tst-iconv-mt The iconv buffer sizes must not include the \0 string terminator. And the output termination with *outbufpos = '\0' was OOB. Consistently use non-null-terminated buffer sizes. Reviewed-by: Adhemerval Zanella Diff: --- iconv/tst-iconv-mt.c | 15 +++++---------- 1 file changed, 5 insertions(+), 10 deletions(-) diff --git a/iconv/tst-iconv-mt.c b/iconv/tst-iconv-mt.c index e634eec1b7..8d7867b323 100644 --- a/iconv/tst-iconv-mt.c +++ b/iconv/tst-iconv-mt.c @@ -57,12 +57,13 @@ worker (void * arg) iconv_t cd; char ascii[] = CONV_INPUT; + size_t bytes = sizeof (CONV_INPUT) - 1; char *inbufpos = ascii; - size_t inbytesleft = sizeof (CONV_INPUT); + size_t inbytesleft = bytes; - char *utf8 = xcalloc (sizeof (CONV_INPUT), 1); + char *utf8 = xcalloc (bytes, 1); char *outbufpos = utf8; - size_t outbytesleft = sizeof (CONV_INPUT); + size_t outbytesleft = bytes; if (tidx < TCOUNT/2) /* The first half of the worker thread pool synchronize together here, @@ -91,8 +92,6 @@ worker (void * arg) &outbytesleft) != (size_t) -1); - *outbufpos = '\0'; - xpthread_barrier_wait (&sync); TEST_VERIFY_EXIT (iconv_close (cd) == 0); @@ -104,11 +103,7 @@ worker (void * arg) if (tidx < TCOUNT/2) xpthread_barrier_wait (&sync); - if (strncmp (utf8, CONV_INPUT, sizeof CONV_INPUT)) - { - printf ("FAIL: thread %lx: invalid conversion output from iconv\n", tidx); - pthread_exit ((void *) (long int) 1); - } + TEST_COMPARE_BLOB (utf8, bytes, CONV_INPUT, bytes); pthread_exit (NULL); }