[<prev] [next>] [day] [month] [year] [list]
Date: Tue, 30 May 2023 13:02:49 +0300
From: Alexey Izbyshev <izbyshev@...ras.ru>
To: musl@...ts.openwall.com
Subject: [PATCH] mbsrtowcs: fix buffer overflow with zero dest buf size and non-initial mbstate_t
If mbsrtowcs is called with non-initial conversion state, it resumes
from the point where normally it has already been checked that there is
space in the destination buffer for at least one wide character. Because
the check is skipped in this case, if wn is zero, the function will
wrongly write to the buffer in case of successful conversion, then wrap
wn around and may continue overflowing the buffer further.
---
Note: this patch was made on top of "mbsrtowcs: fix wrong *src update in
case of EILSEQ with non-initial mbstate_t"
(https://www.openwall.com/lists/musl/2023/05/29/8).
---
src/multibyte/mbsrtowcs.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/src/multibyte/mbsrtowcs.c b/src/multibyte/mbsrtowcs.c
index cbab539d..843ad3b5 100644
--- a/src/multibyte/mbsrtowcs.c
+++ b/src/multibyte/mbsrtowcs.c
@@ -13,6 +13,7 @@ size_t mbsrtowcs(wchar_t *restrict ws, const char **restrict src, size_t wn, mbs
if (st && (c = *(unsigned *)st)) {
if (ws) {
+ if (!wn) return 0;
s0 = s;
*(unsigned *)st = 0;
goto resume;
--
2.39.2
Powered by blists - more mailing lists
Confused about mailing lists and their use?
Read about mailing lists on Wikipedia
and check out these
guidelines on proper formatting of your messages.
