]>
Commit | Line | Data |
---|---|---|
fe875de8 MT |
1 | commit 41488498b6d9440ee66ab033808cce8323bba7ac |
2 | Author: Florian Weimer <fweimer@redhat.com> | |
3 | Date: Wed Sep 3 19:45:43 2014 +0200 | |
4 | ||
5 | CVE-2014-6040: Crashes on invalid input in IBM gconv modules [BZ #17325] | |
6 | ||
7 | These changes are based on the fix for BZ #14134 in commit | |
8 | 6e230d11837f3ae7b375ea69d7905f0d18eb79e5. | |
9 | ||
10 | diff --git a/iconvdata/Makefile b/iconvdata/Makefile | |
11 | index 0a410a1..b6327d6 100644 | |
12 | --- a/iconvdata/Makefile | |
13 | +++ b/iconvdata/Makefile | |
14 | @@ -297,6 +297,7 @@ $(objpfx)tst-iconv7.out: $(objpfx)gconv-modules \ | |
15 | $(objpfx)iconv-test.out: run-iconv-test.sh $(objpfx)gconv-modules \ | |
16 | $(addprefix $(objpfx),$(modules.so)) \ | |
17 | $(common-objdir)/iconv/iconv_prog TESTS | |
18 | + iconv_modules="$(modules)" \ | |
19 | $(SHELL) -e $< $(common-objdir) > $@ | |
20 | ||
21 | $(objpfx)tst-tables.out: tst-tables.sh $(objpfx)gconv-modules \ | |
22 | diff --git a/iconvdata/ibm1364.c b/iconvdata/ibm1364.c | |
23 | index 0b5484f..cf80993 100644 | |
24 | --- a/iconvdata/ibm1364.c | |
25 | +++ b/iconvdata/ibm1364.c | |
26 | @@ -221,7 +221,8 @@ enum | |
27 | ++rp2; \ | |
28 | \ | |
29 | uint32_t res; \ | |
30 | - if (__builtin_expect (ch < rp2->start, 0) \ | |
31 | + if (__builtin_expect (rp2->start == 0xffff, 0) \ | |
32 | + || __builtin_expect (ch < rp2->start, 0) \ | |
33 | || (res = DB_TO_UCS4[ch + rp2->idx], \ | |
34 | __builtin_expect (res, L'\1') == L'\0' && ch != '\0')) \ | |
35 | { \ | |
36 | diff --git a/iconvdata/ibm932.c b/iconvdata/ibm932.c | |
37 | index f5dca59..aa69d65 100644 | |
38 | --- a/iconvdata/ibm932.c | |
39 | +++ b/iconvdata/ibm932.c | |
40 | @@ -74,11 +74,12 @@ | |
41 | } \ | |
42 | \ | |
43 | ch = (ch * 0x100) + inptr[1]; \ | |
44 | + /* ch was less than 0xfd. */ \ | |
45 | + assert (ch < 0xfd00); \ | |
46 | while (ch > rp2->end) \ | |
47 | ++rp2; \ | |
48 | \ | |
49 | - if (__builtin_expect (rp2 == NULL, 0) \ | |
50 | - || __builtin_expect (ch < rp2->start, 0) \ | |
51 | + if (__builtin_expect (ch < rp2->start, 0) \ | |
52 | || (res = __ibm932db_to_ucs4[ch + rp2->idx], \ | |
53 | __builtin_expect (res, '\1') == 0 && ch !=0)) \ | |
54 | { \ | |
55 | diff --git a/iconvdata/ibm933.c b/iconvdata/ibm933.c | |
56 | index f46dfb5..461fb5e 100644 | |
57 | --- a/iconvdata/ibm933.c | |
58 | +++ b/iconvdata/ibm933.c | |
59 | @@ -162,7 +162,7 @@ enum | |
60 | while (ch > rp2->end) \ | |
61 | ++rp2; \ | |
62 | \ | |
63 | - if (__builtin_expect (rp2 == NULL, 0) \ | |
64 | + if (__builtin_expect (rp2->start == 0xffff, 0) \ | |
65 | || __builtin_expect (ch < rp2->start, 0) \ | |
66 | || (res = __ibm933db_to_ucs4[ch + rp2->idx], \ | |
67 | __builtin_expect (res, L'\1') == L'\0' && ch != '\0')) \ | |
68 | diff --git a/iconvdata/ibm935.c b/iconvdata/ibm935.c | |
69 | index a8e4e6c..132d816 100644 | |
70 | --- a/iconvdata/ibm935.c | |
71 | +++ b/iconvdata/ibm935.c | |
72 | @@ -162,7 +162,7 @@ enum | |
73 | while (ch > rp2->end) \ | |
74 | ++rp2; \ | |
75 | \ | |
76 | - if (__builtin_expect (rp2 == NULL, 0) \ | |
77 | + if (__builtin_expect (rp2->start == 0xffff, 0) \ | |
78 | || __builtin_expect (ch < rp2->start, 0) \ | |
79 | || (res = __ibm935db_to_ucs4[ch + rp2->idx], \ | |
80 | __builtin_expect (res, L'\1') == L'\0' && ch != '\0')) \ | |
81 | diff --git a/iconvdata/ibm937.c b/iconvdata/ibm937.c | |
82 | index 239be61..69b154d 100644 | |
83 | --- a/iconvdata/ibm937.c | |
84 | +++ b/iconvdata/ibm937.c | |
85 | @@ -162,7 +162,7 @@ enum | |
86 | while (ch > rp2->end) \ | |
87 | ++rp2; \ | |
88 | \ | |
89 | - if (__builtin_expect (rp2 == NULL, 0) \ | |
90 | + if (__builtin_expect (rp2->start == 0xffff, 0) \ | |
91 | || __builtin_expect (ch < rp2->start, 0) \ | |
92 | || (res = __ibm937db_to_ucs4[ch + rp2->idx], \ | |
93 | __builtin_expect (res, L'\1') == L'\0' && ch != '\0')) \ | |
94 | diff --git a/iconvdata/ibm939.c b/iconvdata/ibm939.c | |
95 | index 5d0db36..9936e2c 100644 | |
96 | --- a/iconvdata/ibm939.c | |
97 | +++ b/iconvdata/ibm939.c | |
98 | @@ -162,7 +162,7 @@ enum | |
99 | while (ch > rp2->end) \ | |
100 | ++rp2; \ | |
101 | \ | |
102 | - if (__builtin_expect (rp2 == NULL, 0) \ | |
103 | + if (__builtin_expect (rp2->start == 0xffff, 0) \ | |
104 | || __builtin_expect (ch < rp2->start, 0) \ | |
105 | || (res = __ibm939db_to_ucs4[ch + rp2->idx], \ | |
106 | __builtin_expect (res, L'\1') == L'\0' && ch != '\0')) \ | |
107 | diff --git a/iconvdata/ibm943.c b/iconvdata/ibm943.c | |
108 | index be0c14f..c5d5742 100644 | |
109 | --- a/iconvdata/ibm943.c | |
110 | +++ b/iconvdata/ibm943.c | |
111 | @@ -75,11 +75,12 @@ | |
112 | } \ | |
113 | \ | |
114 | ch = (ch * 0x100) + inptr[1]; \ | |
115 | + /* ch was less than 0xfd. */ \ | |
116 | + assert (ch < 0xfd00); \ | |
117 | while (ch > rp2->end) \ | |
118 | ++rp2; \ | |
119 | \ | |
120 | - if (__builtin_expect (rp2 == NULL, 0) \ | |
121 | - || __builtin_expect (ch < rp2->start, 0) \ | |
122 | + if (__builtin_expect (ch < rp2->start, 0) \ | |
123 | || (res = __ibm943db_to_ucs4[ch + rp2->idx], \ | |
124 | __builtin_expect (res, '\1') == 0 && ch !=0)) \ | |
125 | { \ | |
126 | diff --git a/iconvdata/run-iconv-test.sh b/iconvdata/run-iconv-test.sh | |
127 | index c98c929..5dfb69f 100755 | |
128 | --- a/iconvdata/run-iconv-test.sh | |
129 | +++ b/iconvdata/run-iconv-test.sh | |
130 | @@ -184,6 +184,24 @@ while read utf8 from filename; do | |
131 | ||
132 | done < TESTS2 | |
133 | ||
134 | +# Check for crashes in decoders. | |
135 | +printf '\016\377\377\377\377\377\377\377' > $temp1 | |
136 | +for from in $iconv_modules ; do | |
137 | + echo $ac_n "test decoder $from $ac_c" | |
138 | + PROG=`eval echo $ICONV` | |
139 | + if $PROG < $temp1 >/dev/null 2>&1 ; then | |
140 | + : # fall through | |
141 | + else | |
142 | + status=$? | |
143 | + if test $status -gt 1 ; then | |
144 | + echo "/FAILED" | |
145 | + failed=1 | |
146 | + continue | |
147 | + fi | |
148 | + fi | |
149 | + echo "OK" | |
150 | +done | |
151 | + | |
152 | exit $failed | |
153 | # Local Variables: | |
154 | # mode:shell-script |