* [musl] [PATCH] mbsrtowcs: fix buffer overflow with zero dest buf size and non-initial mbstate_t
@ 2023-05-30 10:02 Alexey Izbyshev
0 siblings, 0 replies; only message in thread
From: Alexey Izbyshev @ 2023-05-30 10:02 UTC (permalink / raw)
To: musl
If mbsrtowcs is called with non-initial conversion state, it resumes
from the point where normally it has already been checked that there is
space in the destination buffer for at least one wide character. Because
the check is skipped in this case, if wn is zero, the function will
wrongly write to the buffer in case of successful conversion, then wrap
wn around and may continue overflowing the buffer further.
---
Note: this patch was made on top of "mbsrtowcs: fix wrong *src update in
case of EILSEQ with non-initial mbstate_t"
(https://www.openwall.com/lists/musl/2023/05/29/8).
---
src/multibyte/mbsrtowcs.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/src/multibyte/mbsrtowcs.c b/src/multibyte/mbsrtowcs.c
index cbab539d..843ad3b5 100644
--- a/src/multibyte/mbsrtowcs.c
+++ b/src/multibyte/mbsrtowcs.c
@@ -13,6 +13,7 @@ size_t mbsrtowcs(wchar_t *restrict ws, const char **restrict src, size_t wn, mbs
if (st && (c = *(unsigned *)st)) {
if (ws) {
+ if (!wn) return 0;
s0 = s;
*(unsigned *)st = 0;
goto resume;
--
2.39.2
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2023-05-30 10:03 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2023-05-30 10:02 [musl] [PATCH] mbsrtowcs: fix buffer overflow with zero dest buf size and non-initial mbstate_t Alexey Izbyshev
Code repositories for project(s) associated with this public inbox
https://git.vuxu.org/mirror/musl/
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).