From mboxrd@z Thu Jan  1 00:00:00 1970
X-Msuck: nntp://news.gmane.org/gmane.linux.lib.musl.general/4085
Path: news.gmane.org!not-for-mail
From: Rich Felker <dalias@aerifal.cx>
Newsgroups: gmane.linux.lib.musl.general
Subject: Re: [PATCH] mbsrtowcs: Fix bug when wn is a multiple of 4
Date: Fri, 27 Sep 2013 11:28:49 -0400
Message-ID: <20130927152849.GC20515@brightrain.aerifal.cx>
References: <1380272082-13878-1-git-send-email-mforney@mforney.org>
Reply-To: musl@lists.openwall.com
NNTP-Posting-Host: plane.gmane.org
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Trace: ger.gmane.org 1380295743 24647 80.91.229.3 (27 Sep 2013 15:29:03 GMT)
X-Complaints-To: usenet@ger.gmane.org
NNTP-Posting-Date: Fri, 27 Sep 2013 15:29:03 +0000 (UTC)
To: musl@lists.openwall.com
Original-X-From: musl-return-4089-gllmg-musl=m.gmane.org@lists.openwall.com Fri Sep 27 17:29:04 2013
Return-path: <musl-return-4089-gllmg-musl=m.gmane.org@lists.openwall.com>
Envelope-to: gllmg-musl@plane.gmane.org
Original-Received: from mother.openwall.net ([195.42.179.200])
	by plane.gmane.org with smtp (Exim 4.69)
	(envelope-from <musl-return-4089-gllmg-musl=m.gmane.org@lists.openwall.com>)
	id 1VPZyZ-0004b8-9m
	for gllmg-musl@plane.gmane.org; Fri, 27 Sep 2013 17:29:03 +0200
Original-Received: (qmail 1838 invoked by uid 550); 27 Sep 2013 15:29:02 -0000
Mailing-List: contact musl-help@lists.openwall.com; run by ezmlm
Precedence: bulk
List-Post: <mailto:musl@lists.openwall.com>
List-Help: <mailto:musl-help@lists.openwall.com>
List-Unsubscribe: <mailto:musl-unsubscribe@lists.openwall.com>
List-Subscribe: <mailto:musl-subscribe@lists.openwall.com>
Original-Received: (qmail 1830 invoked from network); 27 Sep 2013 15:29:02 -0000
Content-Disposition: inline
In-Reply-To: <1380272082-13878-1-git-send-email-mforney@mforney.org>
User-Agent: Mutt/1.5.21 (2010-09-15)
Xref: news.gmane.org gmane.linux.lib.musl.general:4085
Archived-At: <http://permalink.gmane.org/gmane.linux.lib.musl.general/4085>

On Fri, Sep 27, 2013 at 01:54:42AM -0700, Michael Forney wrote:
> If wn becomes 0 after processing a chunk of 4, mbsrtowcs currently
> continues on, wrapping wn around to -1, causing the rest of the string
> to be processed.
> 
> This resulted in buffer overruns if there was only space in ws for wn
> wide characters.
> ---
> Hi,
> 
> I found this bug while tracking down a SIGSEGV in bash when globbing a large
> pattern.

Thanks! That's a nice find.

>  src/multibyte/mbsrtowcs.c | 1 +
>  1 file changed, 1 insertion(+)
> 
> diff --git a/src/multibyte/mbsrtowcs.c b/src/multibyte/mbsrtowcs.c
> index b9bbc33..c5a30de 100644
> --- a/src/multibyte/mbsrtowcs.c
> +++ b/src/multibyte/mbsrtowcs.c
> @@ -66,6 +66,7 @@ resume0:
>  				*ws++ = *s++;
>  				wn -= 4;
>  			}
> +			if (!wn) continue;

Rather than adding an extra branch here, why not just either change
the >=4 condition to >=5 or unconditionally continue here? Any
thoughts on what would be better?

Rich