From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from butterfly.birch.relay.mailchannels.net (butterfly.birch.relay.mailchannels.net [23.83.209.27]) by sourceware.org (Postfix) with ESMTPS id 668973857C7F for ; Wed, 6 Jan 2021 05:43:43 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.3.2 sourceware.org 668973857C7F X-Sender-Id: dreamhost|x-authsender|siddhesh@gotplt.org Received: from relay.mailchannels.net (localhost [127.0.0.1]) by relay.mailchannels.net (Postfix) with ESMTP id 41F2A181951; Wed, 6 Jan 2021 05:43:42 +0000 (UTC) Received: from pdx1-sub0-mail-a31.g.dreamhost.com (100-96-5-6.trex.outbound.svc.cluster.local [100.96.5.6]) (Authenticated sender: dreamhost) by relay.mailchannels.net (Postfix) with ESMTPA id C56E1181A76; Wed, 6 Jan 2021 05:43:39 +0000 (UTC) X-Sender-Id: dreamhost|x-authsender|siddhesh@gotplt.org Received: from pdx1-sub0-mail-a31.g.dreamhost.com (pop.dreamhost.com [64.90.62.162]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384) by 0.0.0.0:2500 (trex/5.18.11); Wed, 06 Jan 2021 05:43:42 +0000 X-MC-Relay: Neutral X-MailChannels-SenderId: dreamhost|x-authsender|siddhesh@gotplt.org X-MailChannels-Auth-Id: dreamhost X-Shrill-Absorbed: 573c10a37cdfca01_1609911820072_3935466824 X-MC-Loop-Signature: 1609911820072:1817641971 X-MC-Ingress-Time: 1609911820072 Received: from pdx1-sub0-mail-a31.g.dreamhost.com (localhost [127.0.0.1]) by pdx1-sub0-mail-a31.g.dreamhost.com (Postfix) with ESMTP id 883BC842E7; Tue, 5 Jan 2021 21:43:39 -0800 (PST) Received: from rhbox.redhat.com (unknown [103.199.172.2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) (Authenticated sender: siddhesh@gotplt.org) by pdx1-sub0-mail-a31.g.dreamhost.com (Postfix) with ESMTPSA id 76E618427A; Tue, 5 Jan 2021 21:43:36 -0800 (PST) X-DH-BACKEND: pdx1-sub0-mail-a31 From: Siddhesh Poyarekar To: libc-stable@sourceware.org Cc: Andreas Schwab Subject: [COMMITTED 2.32] Fix buffer overrun in EUC-KR conversion module (bz #24973) Date: Wed, 6 Jan 2021 11:13:08 +0530 Message-Id: <20210106054308.110436-1-siddhesh@sourceware.org> X-Mailer: git-send-email 2.29.2 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-Spam-Status: No, score=-1168.4 required=5.0 tests=BAYES_00, GIT_PATCH_0, JMQ_SPF_NEUTRAL, KAM_DMARC_NONE, KAM_DMARC_STATUS, KAM_SHORT, RCVD_IN_ABUSEAT, RCVD_IN_BARRACUDACENTRAL, RCVD_IN_DNSWL_NONE, SPF_HELO_NONE, SPF_NEUTRAL, TXREP autolearn=ham autolearn_force=no version=3.4.2 X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on server2.sourceware.org X-BeenThere: libc-stable@sourceware.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Libc-stable mailing list List-Unsubscribe: , List-Archive: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 06 Jan 2021 05:43:45 -0000 From: Andreas Schwab The byte 0xfe as input to the EUC-KR conversion denotes a user-defined area and is not allowed. The from_euc_kr function used to skip two bytes when told to skip over the unknown designation, potentially running over the buffer end. (cherry picked from commit ee7a3144c9922808181009b7b3e50e852fb4999b) --- iconvdata/Makefile | 3 ++- iconvdata/bug-iconv13.c | 53 +++++++++++++++++++++++++++++++++++++++++ iconvdata/euc-kr.c | 6 +---- iconvdata/ksc5601.h | 6 ++--- 4 files changed, 59 insertions(+), 9 deletions(-) create mode 100644 iconvdata/bug-iconv13.c diff --git a/iconvdata/Makefile b/iconvdata/Makefile index 4ec2741cdc..85009f3390 100644 --- a/iconvdata/Makefile +++ b/iconvdata/Makefile @@ -73,7 +73,8 @@ modules.so :=3D $(addsuffix .so, $(modules)) ifeq (yes,$(build-shared)) tests =3D bug-iconv1 bug-iconv2 tst-loading tst-e2big tst-iconv4 bug-ico= nv4 \ tst-iconv6 bug-iconv5 bug-iconv6 tst-iconv7 bug-iconv8 bug-iconv9 \ - bug-iconv10 bug-iconv11 bug-iconv12 tst-iconv-big5-hkscs-to-2ucs4 + bug-iconv10 bug-iconv11 bug-iconv12 tst-iconv-big5-hkscs-to-2ucs4 \ + bug-iconv13 ifeq ($(have-thread-library),yes) tests +=3D bug-iconv3 endif diff --git a/iconvdata/bug-iconv13.c b/iconvdata/bug-iconv13.c new file mode 100644 index 0000000000..87aaff398e --- /dev/null +++ b/iconvdata/bug-iconv13.c @@ -0,0 +1,53 @@ +/* bug 24973: Test EUC-KR module + Copyright (C) 2020 Free Software Foundation, Inc. + This file is part of the GNU C Library. + + The GNU C Library is free software; you can redistribute it and/or + modify it under the terms of the GNU Lesser General Public + License as published by the Free Software Foundation; either + version 2.1 of the License, or (at your option) any later version. + + The GNU C Library is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + Lesser General Public License for more details. + + You should have received a copy of the GNU Lesser General Public + License along with the GNU C Library; if not, see + . */ + +#include +#include +#include +#include + +static int +do_test (void) +{ + iconv_t cd =3D iconv_open ("UTF-8//IGNORE", "EUC-KR"); + TEST_VERIFY_EXIT (cd !=3D (iconv_t) -1); + + /* 0xfe (->0x7e : row 94) and 0xc9 (->0x49 : row 41) are user-defined + areas, which are not allowed and should be skipped over due to + //IGNORE. The trailing 0xfe also is an incomplete sequence, which + should be checked first. */ + char input[4] =3D { '\xc9', '\xa1', '\0', '\xfe' }; + char *inptr =3D input; + size_t insize =3D sizeof (input); + char output[4]; + char *outptr =3D output; + size_t outsize =3D sizeof (output); + + /* This used to crash due to buffer overrun. */ + TEST_VERIFY (iconv (cd, &inptr, &insize, &outptr, &outsize) =3D=3D (si= ze_t) -1); + TEST_VERIFY (errno =3D=3D EINVAL); + /* The conversion should produce one character, the converted null + character. */ + TEST_VERIFY (sizeof (output) - outsize =3D=3D 1); + + TEST_VERIFY_EXIT (iconv_close (cd) !=3D -1); + + return 0; +} + +#include diff --git a/iconvdata/euc-kr.c b/iconvdata/euc-kr.c index b0d56cf3ee..1045bae926 100644 --- a/iconvdata/euc-kr.c +++ b/iconvdata/euc-kr.c @@ -80,11 +80,7 @@ euckr_from_ucs4 (uint32_t ch, unsigned char *cp) \ if (ch <=3D 0x9f) \ ++inptr; \ - /* 0xfe(->0x7e : row 94) and 0xc9(->0x59 : row 41) are \ - user-defined areas. */ \ - else if (__builtin_expect (ch =3D=3D 0xa0, 0) \ - || __builtin_expect (ch > 0xfe, 0) \ - || __builtin_expect (ch =3D=3D 0xc9, 0)) \ + else if (__glibc_unlikely (ch =3D=3D 0xa0)) \ { \ /* This is illegal. */ \ STANDARD_FROM_LOOP_ERR_HANDLER (1); \ diff --git a/iconvdata/ksc5601.h b/iconvdata/ksc5601.h index d3eb3a4ff8..f5cdc72797 100644 --- a/iconvdata/ksc5601.h +++ b/iconvdata/ksc5601.h @@ -50,15 +50,15 @@ ksc5601_to_ucs4 (const unsigned char **s, size_t avai= l, unsigned char offset) unsigned char ch2; int idx; =20 + if (avail < 2) + return 0; + /* row 94(0x7e) and row 41(0x49) are user-defined area in KS C 5601 */ =20 if (ch < offset || (ch - offset) <=3D 0x20 || (ch - offset) >=3D 0x7e || (ch - offset) =3D=3D 0x49) return __UNKNOWN_10646_CHAR; =20 - if (avail < 2) - return 0; - ch2 =3D (*s)[1]; if (ch2 < offset || (ch2 - offset) <=3D 0x20 || (ch2 - offset) >=3D 0x= 7f) return __UNKNOWN_10646_CHAR; --=20 2.29.2