projects / glibc.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 467bf5b) | patch
[PATCH] gconv: Fix assertion failure in ISO-2022-JP-3 module (bug 27256)
authorFlorian Weimer <fweimer@redhat.com>
Wed, 27 Jan 2021 12:36:12 +0000 (13:36 +0100)
committerHelmut Grohne <helmut@subdivi.de>
Sat, 8 Oct 2022 15:53:16 +0000 (16:53 +0100)
commitbb43f480b95f667dd9ec068548fe44da7f11c26a
tree92037f11924b688dc91321007fcaf2e4d514ccbdtree | snapshot
parent467bf5b3269fae04c024192653bfb088dbb98389commit | diff
[PATCH] gconv: Fix assertion failure in ISO-2022-JP-3 module (bug 27256)

The conversion loop to the internal encoding does not follow
the interface contract that __GCONV_FULL_OUTPUT is only returned
after the internal wchar_t buffer has been filled completely.  This
is enforced by the first of the two asserts in iconv/skeleton.c:

      /* We must run out of output buffer space in this
 rerun.  */
      assert (outbuf == outerr);
      assert (nstatus == __GCONV_FULL_OUTPUT);

This commit solves this issue by queuing a second wide character
which cannot be written immediately in the state variable, like
other converters already do (e.g., BIG5-HKSCS or TSCII).

Reported-by: Tavis Ormandy <taviso@gmail.com>
From ff012870b2c02a62598c04daa1e54632e020fd7d Mon Sep 17 00:00:00 2001
From: Nikita Popov <npv1310@gmail.com>
Date: Tue, 2 Nov 2021 13:21:42 +0500
Subject: [PATCH] gconv: Do not emit spurious NUL character in ISO-2022-JP-3
 (bug 28524)

Bugfix 27256 has introduced another issue:
In conversion from ISO-2022-JP-3 encoding, it is possible
to force iconv to emit extra NUL character on internal state reset.
To do this, it is sufficient to feed iconv with escape sequence
which switches active character set.
The simplified check 'data->__statep->__count != ASCII_set'
introduced by the aforementioned bugfix picks that case and
behaves as if '\0' character has been queued thus emitting it.

To eliminate this issue, these steps are taken:
* Restore original condition
'(data->__statep->__count & ~7) != ASCII_set'.
It is necessary since bits 0-2 may contain
number of buffered input characters.
* Check that queued character is not NUL.
Similar step is taken for main conversion loop.

Bundled test case follows following logic:
* Try to convert ISO-2022-JP-3 escape sequence
switching active character set
* Reset internal state by providing NULL as input buffer
* Ensure that nothing has been converted.

Signed-off-by: Nikita Popov <npv1310@gmail.com>
Gbp-Pq: Topic all
Gbp-Pq: Name git-CVE-2021-3326-Fix-assertion-failure-in-ISO-2022-JP-3-module-.diff
iconvdata/Makefile diff | blob | history
iconvdata/bug-iconv14.c [new file with mode: 0644] blob
iconvdata/bug-iconv15.c [new file with mode: 0644] blob
iconvdata/iso-2022-jp-3.c diff | blob | history
Unnamed repository; edit this file 'description' to name the repository.