Date: Fri, 5 Feb 2010 14:29:41 +0100 From: Natacha PORTE <natbsd@instinctive.eu> To: FreeBSD-gnats-submit@FreeBSD.org Subject: ports/143575: [Patch] converters/libiconv: Fix an endless loop in the conversion to wchar_t Message-ID: <20100205132940.GK79938@sigil.instinctive.eu> Resent-Message-ID: <201002051400.o15E0CYH062015@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 143575 >Category: ports >Synopsis: [Patch] converters/libiconv: Fix an endless loop in the conversion to wchar_t >Confidential: no >Severity: non-critical >Priority: medium >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: change-request >Submitter-Id: current-users >Arrival-Date: Fri Feb 05 14:00:11 UTC 2010 >Closed-Date: >Last-Modified: >Originator: Natacha PORTE >Release: FreeBSD 7.2-RELEASE-p4 i386 >Organization: >Environment: System: FreeBSD sigil.instinctive.eu 7.2-RELEASE-p4 FreeBSD 7.2-RELEASE-p4 #2 r200055: Thu Dec 3 16:42:18 CET 2009 nat@sigil.instinctive.eu:/usr/obj/usr/src/sys/GENERIC i386 >Description: UTF-8 to wchar_t conversion of an input ending with an incomplete multibyte sequence triggered an endless loop. newsbeuter triggered this bug quite often. >How-To-Repeat: >Fix: This has been fixed upstream: http://git.savannah.gnu.org/cgit/libiconv.git/commit/?id=2cf3ee65d04ac4e41e29aa7526361ec3f20f5e29 The attached patch is a chopped out version of this commit, keeping the actual fix while leaving test, news and whatever looked like possibly troublesome to apply. --- patch-endless-wchar_t-loop begins here --- --- lib/loop_wchar.h +++ lib/loop_wchar.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 2000-2002, 2005-2006, 2008 Free Software Foundation, Inc. + * Copyright (C) 2000-2002, 2005-2006, 2008-2009 Free Software Foundation, Inc. * This file is part of the GNU LIBICONV Library. * * The GNU LIBICONV Library is free software; you can redistribute it @@ -321,7 +321,8 @@ static size_t wchar_to_loop_convert (iconv_t icd, size_t result = 0; while (*inbytesleft > 0) { size_t incount; - for (incount = 1; incount <= *inbytesleft; incount++) { + for (incount = 1; ; ) { + /* Here incount <= *inbytesleft. */ char buf[BUF_SIZE]; const char* inptr = *inbuf; size_t inleft = incount; @@ -403,6 +404,12 @@ static size_t wchar_to_loop_convert (iconv_t icd, break; } } + incount++; + if (incount > *inbytesleft) { + /* Incomplete input. */ + errno = EINVAL; + return -1; + } } } return result; --- patch-endless-wchar_t-loop ends here --- >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20100205132940.GK79938>