[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <lhu343wta3h.fsf@oldenburg.str.redhat.com>
Date: Fri, 23 Jan 2026 20:14:42 +0100
From: Florian Weimer <fweimer@...hat.com>
To: Richard Howe <rhowe425@...il.com>
Cc: musl@...ts.openwall.com
Subject: Re: denial-of-service issue in musl’s
iconv implementation
* Richard Howe:
> Hello,
>
> I am reporting a denial-of-service issue in musl’s iconv implementation.
>
> Summary
>
> A crafted input passed to iconv() can trigger an internal assertion failure in gconv():
>
> ../iconv/skeleton.c:745: gconv: Assertion `outbuf == outerr' failed
This happens because you call iconv with input and output buffers that
overlap:
#9 0x0000000000400923 in main (argc=2, argv=0x7fffffffdd48) at harness-debug.c:164
164 size_t r = iconv(cd, &tin, &tin_left, &tout, &tout_left);
(gdb) print tin
$1 = 0x40311a <input+26> ""
(gdb) print tin_left
$2 = 3
(gdb) print tout
$3 = 0x403119 <input+25> "A"
The glibc implementation does not support that. I'm not sure if that's
actually a bug. I couldn't find documentation discussing overlapping
buffers (beyond the restrict keyword, which I find a bit iffy).
Thanks,
Florian
Powered by blists - more mailing lists
Confused about mailing lists and their use?
Read about mailing lists on Wikipedia
and check out these
guidelines on proper formatting of your messages.
