Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <CAD04+wifAs4g_gwLOMtVOAFqGWjMggrPz4ZZ39=ofKjQk60WXA@mail.gmail.com>
Date: Fri, 23 Jan 2026 14:46:01 -0500
From: Richard Howe <rhowe425@...il.com>
To: Florian Weimer <fweimer@...hat.com>
Cc: musl@...ts.openwall.com
Subject: Re: denial-of-service issue in musl’s iconv implementation

Got it - thank you for confirming. My harness does allow for overlapping
input/output buffers, which violates the restrict contract so that explains
the abort

On Fri, Jan 23, 2026 at 2:14 PM Florian Weimer <fweimer@...hat.com> wrote:

> * Richard Howe:
>
> > Hello,
> >
> > I am reporting a denial-of-service issue in musl’s iconv implementation.
> >
> > Summary
> >
> > A crafted input passed to iconv() can trigger an internal assertion
> failure in gconv():
> >
> > ../iconv/skeleton.c:745: gconv: Assertion `outbuf == outerr' failed
>
> This happens because you call iconv with input and output buffers that
> overlap:
>
> #9  0x0000000000400923 in main (argc=2, argv=0x7fffffffdd48) at
> harness-debug.c:164
> 164                 size_t r = iconv(cd, &tin, &tin_left, &tout,
> &tout_left);
> (gdb) print tin
> $1 = 0x40311a <input+26> ""
> (gdb) print tin_left
> $2 = 3
> (gdb) print tout
> $3 = 0x403119 <input+25> "A"
>
> The glibc implementation does not support that.  I'm not sure if that's
> actually a bug.  I couldn't find documentation discussing overlapping
> buffers (beyond the restrict keyword, which I find a bit iffy).
>
> Thanks,
> Florian
>
>

Content of type "text/html" skipped

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.