From mboxrd@z Thu Jan 1 00:00:00 1970 X-Msuck: nntp://news.gmane.org/gmane.linux.lib.musl.general/4081 Path: news.gmane.org!not-for-mail From: Michael Forney Newsgroups: gmane.linux.lib.musl.general Subject: [PATCH] mbsrtowcs: Fix bug when wn is a multiple of 4 Date: Fri, 27 Sep 2013 01:54:42 -0700 Message-ID: <1380272082-13878-1-git-send-email-mforney@mforney.org> Reply-To: musl@lists.openwall.com NNTP-Posting-Host: plane.gmane.org X-Trace: ger.gmane.org 1380272128 16436 80.91.229.3 (27 Sep 2013 08:55:28 GMT) X-Complaints-To: usenet@ger.gmane.org NNTP-Posting-Date: Fri, 27 Sep 2013 08:55:28 +0000 (UTC) To: musl@lists.openwall.com Original-X-From: musl-return-4085-gllmg-musl=m.gmane.org@lists.openwall.com Fri Sep 27 10:55:32 2013 Return-path: Envelope-to: gllmg-musl@plane.gmane.org Original-Received: from mother.openwall.net ([195.42.179.200]) by plane.gmane.org with smtp (Exim 4.69) (envelope-from ) id 1VPTpi-0005tL-2a for gllmg-musl@plane.gmane.org; Fri, 27 Sep 2013 10:55:30 +0200 Original-Received: (qmail 25836 invoked by uid 550); 27 Sep 2013 08:55:28 -0000 Mailing-List: contact musl-help@lists.openwall.com; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: Original-Received: (qmail 25826 invoked from network); 27 Sep 2013 08:55:28 -0000 X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:to:subject:date:message-id; bh=yNW5/yhB3bkFdiYvw1fIJACIxQXjI0Kc30i1TEVZXWE=; b=MQSizo0OuxuKq/rOaDIk/2KPngGcTkfXzoYCqVnUmjjpkCtjS8OI9CyRgh3gLT/VNB VZ1lXI6f/3NqGqdYd5tMV070n6N8EESksJewjVsWKgzVrjCrqLrIY3PSPPfO5Qvuxqjw +Aa2U6PxAXJOdPVplzrazd910fnqbmLmlmzjXCr4L8ad1zmKp4SkTIUnsBTUElcZcJq+ AZ/TSmh8Jsvo8KRT28Qo3gi/DGEYExrEiUix+wBdn6X2B75SXO1vHp3A4NGuO7v4bpsD Af8J5i7/JcTaUsg+acNg19wbqmAnQq9Bz7XsUpZLdnp3iLix64Q5amme2EEzn1nNXg0n gojw== X-Gm-Message-State: ALoCoQki572cpIF6iC+ZOhikkP5qaVWE/9Gp2pYGG36lDoYEGDH8LTS8m+hrDj9DF/dZWMQK06uY X-Received: by 10.66.140.40 with SMTP id rd8mr10239214pab.119.1380272116332; Fri, 27 Sep 2013 01:55:16 -0700 (PDT) X-Mailer: git-send-email 1.8.4 Xref: news.gmane.org gmane.linux.lib.musl.general:4081 Archived-At: If wn becomes 0 after processing a chunk of 4, mbsrtowcs currently continues on, wrapping wn around to -1, causing the rest of the string to be processed. This resulted in buffer overruns if there was only space in ws for wn wide characters. --- Hi, I found this bug while tracking down a SIGSEGV in bash when globbing a large pattern. src/multibyte/mbsrtowcs.c | 1 + 1 file changed, 1 insertion(+) diff --git a/src/multibyte/mbsrtowcs.c b/src/multibyte/mbsrtowcs.c index b9bbc33..c5a30de 100644 --- a/src/multibyte/mbsrtowcs.c +++ b/src/multibyte/mbsrtowcs.c @@ -66,6 +66,7 @@ resume0: *ws++ = *s++; wn -= 4; } + if (!wn) continue; } if (*s-1u < 0x7f) { *ws++ = *s++; -- 1.8.4