Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 18 Feb 2013 12:03:11 -0500 (EST)
From:      "J.R. Oldroyd" <fbsd@opal.com>
To:        FreeBSD-gnats-submit@freebsd.org
Subject:   bin/176250: euc locale input modifies data
Message-ID:  <201302181703.r1IH3Bum090564@shibato.opal.com>
Resent-Message-ID: <201302181710.r1IHA0bH033585@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help 

>Number:         176250
>Category:       bin
>Synopsis:       euc locale input modifies data
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Mon Feb 18 17:10:00 UTC 2013
>Closed-Date:
>Last-Modified:
>Originator:     J.R. Oldroyd
>Release:        FreeBSD 9.1-RELEASE amd64
>Organization:
>Environment:
System: FreeBSD xx.opal.com 9.1-RELEASE FreeBSD 9.1-RELEASE #0 r244985: Tue Jan 8 10:51:13 EST 2013 jr@xx.opal.com:/usr/src/sys/amd64/compile/GENERIC amd64
>Description:
When reading an invalid multibyte data sequence while set to an euc locale,
e.g., ja_JP.eucJP, the src/lib/libc/locale/euc.c code will modify the bytes
read to ensure that the 0x8080 or 0x808080 bits are set.  This has the
effect of silently returning data other than that which was in the input.
There is then no way of detecting that the input sequence was invalid.

The correct behavior is to test that those bits are set, return the data
if they are, but return EILSEQ if not.

Fix is applicable to 10-current and 9-stable.  Please MFC.
>How-To-Repeat:
1. Create test file containing invalid euc multibyte characters such as:
	0xa440 0xac4f 0xb36f 0xcf20
2. Set locale to, e.g., ja_JP.eucJP.
3. Read characters from file using getwc().  Observe that what's read is:
	0xa4c0 0xaccf 0xb3ef 0xcfa0
>Fix:
--- src/lib/libc/locale/euc.c.orig	2013-01-02 19:26:36.000000000 -0500
+++ src/lib/libc/locale/euc.c	2013-02-17 15:51:58.000000000 -0500
@@ -215,7 +215,11 @@
 		es->ch = wc;
 		return ((size_t)-2);
 	}
-	wc = (wc & ~CEI->mask) | CEI->bits[set];
+	if (wc != ((wc & ~CEI->mask) | CEI->bits[set])) {
+		/* Invalid multibyte sequence */
+		errno = EILSEQ;
+		return ((size_t)-1);
+	}
 	if (pwc != NULL)
 		*pwc = wc;
 	es->want = 0;
>Release-Note:
>Audit-Trail:
>Unformatted:

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201302181703.r1IH3Bum090564>