]> git.ipfire.org Git - thirdparty/glibc.git/blob - iconvdata/ibm935.c
projects / thirdparty / glibc.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
CVE-2014-6040: Crashes on invalid input in IBM gconv modules [BZ #17325]
[thirdparty/glibc.git] / iconvdata / ibm935.c
1 /* Conversion from and to IBM935
2 Copyright (C) 2000-2014 Free Software Foundation, Inc.
3 This file is part of the GNU C Library.
4 Contributed by Masahide Washizawa <washi@yamato.ibm.co.jp>, 2000.
5
6 The GNU C Library is free software; you can redistribute it and/or
7 modify it under the terms of the GNU Lesser General Public
8 License as published by the Free Software Foundation; either
9 version 2.1 of the License, or (at your option) any later version.
10
11 The GNU C Library is distributed in the hope that it will be useful,
12 but WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
14 Lesser General Public License for more details.
15
16 You should have received a copy of the GNU Lesser General Public
17 License along with the GNU C Library; if not, see
18 <http://www.gnu.org/licenses/>. */
19
20 #include <dlfcn.h>
21 #include <stdint.h>
22 #include <wchar.h>
23 #include <byteswap.h>
24 #include "ibm935.h"
25
26 /* The shift sequences for this charset (it does not use ESC). */
27 #define SI 0x0F /* Shift In, host code to turn DBCS off. */
28 #define SO 0x0E /* Shift Out, host code to turn DBCS on. */
29
30 /* Definitions used in the body of the `gconv' function. */
31 #define CHARSET_NAME "IBM935//"
32 #define FROM_LOOP from_ibm935
33 #define TO_LOOP to_ibm935
34 #define ONE_DIRECTION 0
35 #define FROM_LOOP_MIN_NEEDED_FROM 1
36 #define FROM_LOOP_MAX_NEEDED_FROM 2
37 #define FROM_LOOP_MIN_NEEDED_TO 4
38 #define FROM_LOOP_MAX_NEEDED_TO 4
39 #define TO_LOOP_MIN_NEEDED_FROM 4
40 #define TO_LOOP_MAX_NEEDED_FROM 4
41 #define TO_LOOP_MIN_NEEDED_TO 1
42 #define TO_LOOP_MAX_NEEDED_TO 3
43 #define PREPARE_LOOP \
44 int save_curcs; \
45 int *curcsp = &data->__statep->__count;
46 #define EXTRA_LOOP_ARGS , curcsp
47
48 /* Definitions of initialization and destructor function. */
49 #define DEFINE_INIT 1
50 #define DEFINE_FINI 1
51
52
53 /* Since this is a stateful encoding we have to provide code which resets
54 the output state to the initial state. This has to be done during the
55 flushing. */
56 #define EMIT_SHIFT_TO_INIT \
57 if ((data->__statep->__count & ~7) != sb) \
58 { \
59 if (FROM_DIRECTION) \
60 data->__statep->__count &= 7; \
61 else \
62 { \
63 /* We are not in the initial state. To switch back we have \
64 to emit `SI'. */ \
65 if (__glibc_unlikely (outbuf >= outend)) \
66 /* We don't have enough room in the output buffer. */ \
67 status = __GCONV_FULL_OUTPUT; \
68 else \
69 { \
70 /* Write out the shift sequence. */ \
71 *outbuf++ = SI; \
72 data->__statep->__count &= 7; \
73 } \
74 } \
75 }
76
77
78 /* Since we might have to reset input pointer we must be able to save
79 and retore the state. */
80 #define SAVE_RESET_STATE(Save) \
81 if (Save) \
82 save_curcs = *curcsp; \
83 else \
84 *curcsp = save_curcs
85
86
87 /* Current codeset type. */
88 enum
89 {
90 sb = 0,
91 db = 64
92 };
93
94 /* First, define the conversion function from IBM-935 to UCS4. */
95 #define MIN_NEEDED_INPUT FROM_LOOP_MIN_NEEDED_FROM
96 #define MAX_NEEDED_INPUT FROM_LOOP_MAX_NEEDED_FROM
97 #define MIN_NEEDED_OUTPUT FROM_LOOP_MIN_NEEDED_TO
98 #define MAX_NEEDED_OUTPUT FROM_LOOP_MAX_NEEDED_TO
99 #define LOOPFCT FROM_LOOP
100 #define BODY \
101 { \
102 uint32_t ch = *inptr; \
103 uint32_t res; \
104 \
105 if (__builtin_expect(ch, 0) == SO) \
106 { \
107 /* Shift OUT, change to DBCS converter. */ \
108 if (curcs == db) \
109 { \
110 result = __GCONV_ILLEGAL_INPUT; \
111 break; \
112 } \
113 curcs = db; \
114 ++inptr; \
115 continue; \
116 } \
117 else if (__builtin_expect (ch, 0) == SI) \
118 { \
119 /* Shift IN, change to SBCS converter. */ \
120 if (curcs == sb) \
121 { \
122 result = __GCONV_ILLEGAL_INPUT; \
123 break; \
124 } \
125 curcs = sb; \
126 ++inptr; \
127 continue; \
128 } \
129 \
130 if (curcs == sb) \
131 { \
132 /* Use the IBM935 table for single byte. */ \
133 res = __ibm935sb_to_ucs4[ch]; \
134 if (__builtin_expect (res, L'\1') == L'\0' && ch != '\0') \
135 { \
136 /* This is an illegal character. */ \
137 STANDARD_FROM_LOOP_ERR_HANDLER (1); \
138 } \
139 else \
140 { \
141 put32 (outptr, res); \
142 outptr += 4; \
143 } \
144 ++inptr; \
145 } \
146 else \
147 { \
148 const struct gap *rp2 = __ibm935db_to_ucs4_idx; \
149 \
150 assert (curcs == db); \
151 \
152 /* Use the IBM935 table for double byte. */ \
153 if (__glibc_unlikely (inptr + 1 >= inend)) \
154 { \
155 /* The second character is not available. \
156 Store the intermediate result. */ \
157 result = __GCONV_INCOMPLETE_INPUT; \
158 break; \
159 } \
160 \
161 ch = (ch * 0x100) + inptr[1]; \
162 while (ch > rp2->end) \
163 ++rp2; \
164 \
165 if (__builtin_expect (rp2->start == 0xffff, 0) \
166 || __builtin_expect (ch < rp2->start, 0) \
167 || (res = __ibm935db_to_ucs4[ch + rp2->idx], \
168 __builtin_expect (res, L'\1') == L'\0' && ch != '\0')) \
169 { \
170 /* This is an illegal character. */ \
171 STANDARD_FROM_LOOP_ERR_HANDLER (2); \
172 } \
173 else \
174 { \
175 put32 (outptr, res); \
176 outptr += 4; \
177 } \
178 inptr += 2; \
179 } \
180 }
181 #define LOOP_NEED_FLAGS
182 #define EXTRA_LOOP_DECLS , int *curcsp
183 #define INIT_PARAMS int curcs = *curcsp & ~7
184 #define UPDATE_PARAMS *curcsp = curcs
185 #include <iconv/loop.c>
186
187 /* Next, define the other direction. */
188 #define MIN_NEEDED_INPUT TO_LOOP_MIN_NEEDED_FROM
189 #define MAX_NEEDED_INPUT TO_LOOP_MAX_NEEDED_FROM
190 #define MIN_NEEDED_OUTPUT TO_LOOP_MIN_NEEDED_TO
191 #define MAX_NEEDED_OUTPUT TO_LOOP_MAX_NEEDED_TO
192 #define LOOPFCT TO_LOOP
193 #define BODY \
194 { \
195 uint32_t ch = get32 (inptr); \
196 const struct gap *rp1 = __ucs4_to_ibm935sb_idx; \
197 const struct gap *rp2 = __ucs4_to_ibm935db_idx; \
198 const char *cp; \
199 \
200 if (__glibc_unlikely (ch >= 0xffff)) \
201 { \
202 UNICODE_TAG_HANDLER (ch, 4); \
203 \
204 STANDARD_TO_LOOP_ERR_HANDLER (4); \
205 } \
206 \
207 while (ch > rp1->end) \
208 ++rp1; \
209 \
210 /* Use the UCS4 table for single byte. */ \
211 if (__builtin_expect (ch < rp1->start, 0) \
212 || (cp = __ucs4_to_ibm935sb[ch + rp1->idx], \
213 __builtin_expect (cp[0], L'\1') == L'\0' && ch != '\0')) \
214 { \
215 /* Use the UCS4 table for double byte. */ \
216 while (ch > rp2->end) \
217 ++rp2; \
218 \
219 if (__builtin_expect (ch < rp2->start, 0) \
220 || (cp = __ucs4_to_ibm935db[ch + rp2->idx], \
221 __builtin_expect (cp[0], L'\1')==L'\0' && ch != '\0')) \
222 { \
223 /* This is an illegal character. */ \
224 STANDARD_TO_LOOP_ERR_HANDLER (4); \
225 } \
226 else \
227 { \
228 if (curcs == sb) \
229 { \
230 if (__glibc_unlikely (outptr + 1 > outend)) \
231 { \
232 result = __GCONV_FULL_OUTPUT; \
233 break; \
234 } \
235 *outptr++ = SO; \
236 curcs = db; \
237 } \
238 \
239 if (__glibc_unlikely (outptr + 2 > outend)) \
240 { \
241 result = __GCONV_FULL_OUTPUT; \
242 break; \
243 } \
244 *outptr++ = cp[0]; \
245 *outptr++ = cp[1]; \
246 } \
247 } \
248 else \
249 { \
250 if (curcs == db) \
251 { \
252 if (__glibc_unlikely (outptr + 1 > outend)) \
253 { \
254 result = __GCONV_FULL_OUTPUT; \
255 break; \
256 } \
257 *outptr++ = SI; \
258 } \
259 \
260 if (__glibc_unlikely (outptr + 1 > outend)) \
261 { \
262 result = __GCONV_FULL_OUTPUT; \
263 break; \
264 } \
265 *outptr++ = cp[0]; \
266 curcs = sb; \
267 } \
268 \
269 /* Now that we wrote the output increment the input pointer. */ \
270 inptr += 4; \
271 }
272 #define LOOP_NEED_FLAGS
273 #define EXTRA_LOOP_DECLS , int *curcsp
274 #define INIT_PARAMS int curcs = *curcsp & ~7
275 #define REINIT_PARAMS curcs = *curcsp & ~7
276 #define UPDATE_PARAMS *curcsp = curcs
277 #include <iconv/loop.c>
278
279 /* Now define the toplevel functions. */
280 #include <iconv/skeleton.c>
A mirror of the official glibc repository