This is the mail archive of the libc-alpha@sourceware.org mailing list for the glibc project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

[PATCH][BZ #14134] Fix iconv segfault while converting from IBM-930


Hi,

When converting IBM930 code with iconv(), if IBM930 code which includes
invalid multibyte character "0xffff" is specified, then iconv()
segfaults. This is easy to see using the following command:

echo '0x0e 0x43 0x8c 0xff 0xff 0x43 0xbd 0x43 0xbd' | xxd -r | 
	iconv -f IBM930 -t UTF-8

The crash seems to happen when looking up the offset for the
character into the conversion table, since the conversion tables are
delimited by {0xffff, 0xffff, 0} at the end. I've added an additional
check for invalid character in this patch, which is to check if the
matched entry is the one above. I have made an analogous change to the
conversion-to-ibm930 section of the code since it makes sense logically,
even though I don't have a reproducer to induce a crash the other way
around.

I have verified that there are no regressions in the testsuite as a
result of this patch.

Regards,
Siddhesh

ChangeLog:

2012-05-23  Siddhesh Poyarekar  <siddhesh@redhat.com>

	* iconvdata/ibm930.c (BODY): Check for invalid character 0xffff
	  that matches the last element of the conversion table.
diff --git a/iconvdata/ibm930.c b/iconvdata/ibm930.c
index 25a9be0..6f758eb 100644
--- a/iconvdata/ibm930.c
+++ b/iconvdata/ibm930.c
@@ -162,7 +162,8 @@ enum
 	while (ch > rp2->end)						      \
 	  ++rp2;							      \
 									      \
-	if (__builtin_expect (ch < rp2->start, 0)			      \
+	if (__builtin_expect (rp2->start == 0xffff, 0)			      \
+	    || __builtin_expect (ch < rp2->start, 0)			      \
 	    || (res = __ibm930db_to_ucs4[ch + rp2->idx],		      \
 		__builtin_expect (res, L'\1') == L'\0' && ch != '\0'))	      \
 	  {								      \
@@ -215,7 +216,8 @@ enum
 	while (ch > rp2->end)						      \
 	  ++rp2;							      \
 									      \
-	if (__builtin_expect (ch < rp2->start, 0)			      \
+	if (__builtin_expect (rp2->start == 0xffff, 0)			      \
+	    || __builtin_expect (ch < rp2->start, 0)			      \
 	    || (cp = __ucs4_to_ibm930db[ch + rp2->idx],			      \
 		__builtin_expect (cp[0], L'\1')== L'\0' && ch != '\0'))	      \
 	  {								      \

Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]