commit 8a3aebaee0a68d037a6f311bc5c1b426e8e1884c (tree)
parent 462d26171ba1c7f5174aa08f5c2054a0a8035bac
Author: Alex Rønne Petersen <alex@alexrp.com>
Date: Fri, 14 Feb 2025 00:50:16 +0100
musl: Apply Rich Felker's CVE-2025-26519 mitigation patches.
https://www.openwall.com/lists/oss-security/2025/02/13/2
Closes #22883.
Diffstat:
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/lib/libc/musl/src/locale/iconv.c b/lib/libc/musl/src/locale/iconv.c
@@ -495,7 +495,7 @@ size_t iconv(iconv_t cd, char **restrict in, size_t *restrict inb, char **restri
if (c >= 93 || d >= 94) {
c += (0xa1-0x81);
d += 0xa1;
- if (c >= 93 || c>=0xc6-0x81 && d>0x52)
+ if (c > 0xc6-0x81 || c==0xc6-0x81 && d>0x52)
goto ilseq;
if (d-'A'<26) d = d-'A';
else if (d-'a'<26) d = d-'a'+26;
@@ -538,6 +538,10 @@ size_t iconv(iconv_t cd, char **restrict in, size_t *restrict inb, char **restri
if (*outb < k) goto toobig;
memcpy(*out, tmp, k);
} else k = wctomb_utf8(*out, c);
+ /* This failure condition should be unreachable, but
+ * is included to prevent decoder bugs from translating
+ * into advancement outside the output buffer range. */
+ if (k>4) goto ilseq;
*out += k;
*outb -= k;
break;
