qiurui
/
glibc
mirror of git://sourceware.org/git/glibc.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Fix off-by-one OOB write in iconv/tst-iconv-mt 

The iconv buffer sizes must not include the \0 string terminator.
And the output termination with *outbufpos = '\0' was OOB.

Consistently use non-null-terminated buffer sizes.

Reviewed-by: Adhemerval Zanella  <adhemerval.zanella@linaro.org>
This commit is contained in:
Szabolcs Nagy 2022-09-26 15:38:19 +01:00
parent 1056e5b4c3
commit 0a520f28ff
1 changed files with 5 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
iconv/tst-iconv-mt.c
View File

@ -57,12 +57,13 @@ worker (void * arg)
iconv_t cd; iconv_t cd;
char ascii[] = CONV_INPUT; char ascii[] = CONV_INPUT;
size_t bytes = sizeof (CONV_INPUT) - 1;
char *inbufpos = ascii; char *inbufpos = ascii;
size_t inbytesleft = sizeof (CONV_INPUT); size_t inbytesleft = bytes;
char *utf8 = xcalloc (sizeof (CONV_INPUT), 1); char *utf8 = xcalloc (bytes, 1);
char *outbufpos = utf8; char *outbufpos = utf8;
size_t outbytesleft = sizeof (CONV_INPUT); size_t outbytesleft = bytes;
if (tidx < TCOUNT/2) if (tidx < TCOUNT/2)
/* The first half of the worker thread pool synchronize together here, /* The first half of the worker thread pool synchronize together here,
@ -91,8 +92,6 @@ worker (void * arg)
&outbytesleft) &outbytesleft)
!= (size_t) -1); != (size_t) -1);
*outbufpos = '\0';
xpthread_barrier_wait (&sync); xpthread_barrier_wait (&sync);
TEST_VERIFY_EXIT (iconv_close (cd) == 0); TEST_VERIFY_EXIT (iconv_close (cd) == 0);
@ -104,11 +103,7 @@ worker (void * arg)
if (tidx < TCOUNT/2) if (tidx < TCOUNT/2)
xpthread_barrier_wait (&sync); xpthread_barrier_wait (&sync);
if (strncmp (utf8, CONV_INPUT, sizeof CONV_INPUT)) TEST_COMPARE_BLOB (utf8, bytes, CONV_INPUT, bytes);
{
printf ("FAIL: thread %lx: invalid conversion output from iconv\n", tidx);
pthread_exit ((void *) (long int) 1);
}
pthread_exit (NULL); pthread_exit (NULL);
} }