CVE-2014-6040: Crashes on invalid input in IBM gconv modules [BZ #17325]

These changes are based on the fix for BZ #14134 in commit
6e230d11837f3ae7b375ea69d7905f0d18eb79e5.

diff --git a/ChangeLog b/ChangeLog
index 914fca97a7bd6058bb1ecbda69a267188df1d530..120cae51d43416b659dde25561b24620ba7bcb9c 100644 (file)
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,20 @@
+2014-09-03  Florian Weimer  <fweimer@redhat.com>
+
+       [BZ #17325]
+       * iconvdata/ibm1364.c (BODY): Fix check for sentinel.
+       * iconvdata/ibm932.c (BODY): Replace invalid sentinel check with
+       assert.
+       * iconvdata/ibm933.c (BODY): Fix check for sentinel.
+       * iconvdata/ibm935.c (BODY): Likewise.
+       * iconvdata/ibm937.c (BODY): Likewise.
+       * iconvdata/ibm939.c (BODY): Likewise.
+       * iconvdata/ibm943.c (BODY): Replace invalid sentinel check with
+       assert.
+       * iconvdata/Makefile (iconv-test.out): Pass module list to test
+       script.
+       * iconvdata/run-iconv-test.sh: New test loop for checking for
+       decoder crashers.
+
 2013-07-29  Adhemerval Zanella  <azanella@linux.vnet.ibm.com>
 
        [BZ #17213]

diff --git a/NEWS b/NEWS
index a00782990784fbb953e288c1fca1e06e470bcdc6..a6ca053318aa02f2836511818fcec7df443a81a2 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -10,7 +10,12 @@ Version 2.19.1
 * The following bugs are resolved with this release:
 
   16545, 16683, 16689, 16701, 16706, 16707, 16739, 16815, 16619, 16740,
-  17031, 17153, 17213.
+  17031, 17153, 17213, 17325.
+
+* Decoding a crafted input sequence in the character sets IBM933, IBM935,
+  IBM937, IBM939, IBM1364 could result in an out-of-bounds array read,
+  resulting a denial-of-service security vulnerability in applications which
+  use functions related to iconv. (CVE-2014-6040)
 \f
 Version 2.19
 

diff --git a/iconvdata/Makefile b/iconvdata/Makefile
index 5c2154e7bffba455b681197373f4fe90a7f9ffbb..7b9ee489011935bcbf83eb16f41bb16e3c2d307d 100644 (file)
--- a/iconvdata/Makefile
+++ b/iconvdata/Makefile
@@ -299,7 +299,10 @@ $(objpfx)tst-iconv7.out: $(objpfx)gconv-modules \
 $(objpfx)iconv-test.out: run-iconv-test.sh $(objpfx)gconv-modules \
                         $(addprefix $(objpfx),$(modules.so)) \
                         $(common-objdir)/iconv/iconv_prog TESTS
-       $(SHELL) $< $(common-objdir) '$(test-wrapper)' > $@
+       iconv_modules="$(modules)" \
+       $(SHELL) $< $(common-objdir) '$(test-wrapper-env)' \
+                '$(run-program-env)' > $@; \
+       $(evaluate-test)
 
 $(objpfx)tst-tables.out: tst-tables.sh $(objpfx)gconv-modules \
                         $(addprefix $(objpfx),$(modules.so)) \

diff --git a/iconvdata/ibm1364.c b/iconvdata/ibm1364.c
index 373d49a7437c4860efe1b59855a08b5a4f0c2dcd..e9ea4054577ac17060ffbe2b8826f173caea5287 100644 (file)
--- a/iconvdata/ibm1364.c
+++ b/iconvdata/ibm1364.c
@@ -220,7 +220,8 @@ enum
          ++rp2;                                                              \
                                                                              \
        uint32_t res;                                                         \
-       if (__builtin_expect (ch < rp2->start, 0)                             \
+       if (__builtin_expect (rp2->start == 0xffff, 0)                        \
+           || __builtin_expect (ch < rp2->start, 0)                          \
            || (res = DB_TO_UCS4[ch + rp2->idx],                              \
                __builtin_expect (res, L'\1') == L'\0' && ch != '\0'))        \
          {                                                                   \

diff --git a/iconvdata/ibm932.c b/iconvdata/ibm932.c
index 4ceeaae5b96088c23bc849b56321864e5321703e..a3f25834d85cf7db8fba05102aff8141f615997b 100644 (file)
--- a/iconvdata/ibm932.c
+++ b/iconvdata/ibm932.c
@@ -73,11 +73,12 @@
          }                                                                   \
                                                                              \
        ch = (ch * 0x100) + inptr[1];                                         \
+       /* ch was less than 0xfd.  */                                         \
+       assert (ch < 0xfd00);                                                 \
        while (ch > rp2->end)                                                 \
          ++rp2;                                                              \
                                                                              \
-       if (__builtin_expect (rp2 == NULL, 0)                                 \
-           || __builtin_expect (ch < rp2->start, 0)                          \
+       if (__builtin_expect (ch < rp2->start, 0)                             \
            || (res = __ibm932db_to_ucs4[ch + rp2->idx],                      \
            __builtin_expect (res, '\1') == 0 && ch !=0))                     \
          {                                                                   \

diff --git a/iconvdata/ibm933.c b/iconvdata/ibm933.c
index 4723df4890b273ea8c7e9977f79177ef6bccf63b..7323df4376d399e45093c9f03def8cf388c9f91e 100644 (file)
--- a/iconvdata/ibm933.c
+++ b/iconvdata/ibm933.c
@@ -161,7 +161,7 @@ enum
        while (ch > rp2->end)                                                 \
          ++rp2;                                                              \
                                                                              \
-       if (__builtin_expect (rp2 == NULL, 0)                                 \
+       if (__builtin_expect (rp2->start == 0xffff, 0)                        \
            || __builtin_expect (ch < rp2->start, 0)                          \
            || (res = __ibm933db_to_ucs4[ch + rp2->idx],                      \
                __builtin_expect (res, L'\1') == L'\0' && ch != '\0'))        \

diff --git a/iconvdata/ibm935.c b/iconvdata/ibm935.c
index 1ed311b01fd4ea0e17a59c9bacc140ec4ff59dda..1af85dfcff883208b8568277ff38d7c147e7a093 100644 (file)
--- a/iconvdata/ibm935.c
+++ b/iconvdata/ibm935.c
@@ -161,7 +161,7 @@ enum
        while (ch > rp2->end)                                                 \
          ++rp2;                                                              \
                                                                              \
-       if (__builtin_expect (rp2 == NULL, 0)                                 \
+       if (__builtin_expect (rp2->start == 0xffff, 0)                        \
            || __builtin_expect (ch < rp2->start, 0)                          \
            || (res = __ibm935db_to_ucs4[ch + rp2->idx],                      \
                __builtin_expect (res, L'\1') == L'\0' && ch != '\0'))        \

diff --git a/iconvdata/ibm937.c b/iconvdata/ibm937.c
index 1edaf624d0c41c7a935dd801c40051a35fa1ae83..a979bf4c36a879fbbecb80a346be4cc98191cbb0 100644 (file)
--- a/iconvdata/ibm937.c
+++ b/iconvdata/ibm937.c
@@ -161,7 +161,7 @@ enum
        while (ch > rp2->end)                                                 \
          ++rp2;                                                              \
                                                                              \
-       if (__builtin_expect (rp2 == NULL, 0)                                 \
+       if (__builtin_expect (rp2->start == 0xffff, 0)                        \
            || __builtin_expect (ch < rp2->start, 0)                          \
            || (res = __ibm937db_to_ucs4[ch + rp2->idx],                      \
                __builtin_expect (res, L'\1') == L'\0' && ch != '\0'))        \

diff --git a/iconvdata/ibm939.c b/iconvdata/ibm939.c
index b40c486540d771e8ced6e03871854c194717f204..93582bfb5250320f3678f0b164df3d7b0f4f97d0 100644 (file)
--- a/iconvdata/ibm939.c
+++ b/iconvdata/ibm939.c
@@ -161,7 +161,7 @@ enum
        while (ch > rp2->end)                                                 \
          ++rp2;                                                              \
                                                                              \
-       if (__builtin_expect (rp2 == NULL, 0)                                 \
+       if (__builtin_expect (rp2->start == 0xffff, 0)                        \
            || __builtin_expect (ch < rp2->start, 0)                          \
            || (res = __ibm939db_to_ucs4[ch + rp2->idx],                      \
                __builtin_expect (res, L'\1') == L'\0' && ch != '\0'))        \

diff --git a/iconvdata/ibm943.c b/iconvdata/ibm943.c
index 495e37909ea595d01e235efb4f59307c19a5aad2..815c3d473a54d056dbdbdfe5003cbd97d12327db 100644 (file)
--- a/iconvdata/ibm943.c
+++ b/iconvdata/ibm943.c
@@ -74,11 +74,12 @@
          }                                                                   \
                                                                              \
        ch = (ch * 0x100) + inptr[1];                                         \
+       /* ch was less than 0xfd.  */                                         \
+       assert (ch < 0xfd00);                                                 \
        while (ch > rp2->end)                                                 \
          ++rp2;                                                              \
                                                                              \
-       if (__builtin_expect (rp2 == NULL, 0)                                 \
-           || __builtin_expect (ch < rp2->start, 0)                          \
+       if (__builtin_expect (ch < rp2->start, 0)                             \
            || (res = __ibm943db_to_ucs4[ch + rp2->idx],                      \
            __builtin_expect (res, '\1') == 0 && ch !=0))                     \
          {                                                                   \

diff --git a/iconvdata/run-iconv-test.sh b/iconvdata/run-iconv-test.sh
index e23f60d4425b84f3410bf5ce5154887ba735a649..565600a059f002d6ba8a006fed062fe19a16f498 100755 (executable)
--- a/iconvdata/run-iconv-test.sh
+++ b/iconvdata/run-iconv-test.sh
@@ -188,6 +188,24 @@ while read utf8 from filename; do
 
 done < TESTS2
 
+# Check for crashes in decoders.
+printf '\016\377\377\377\377\377\377\377' > $temp1
+for from in $iconv_modules ; do
+    echo $ac_n "test decoder $from $ac_c"
+    PROG=`eval echo $ICONV`
+    if $PROG < $temp1 >/dev/null 2>&1 ; then
+       : # fall through
+    else
+       status=$?
+       if test $status -gt 1 ; then
+           echo "/FAILED"
+           failed=1
+           continue
+       fi
+    fi
+    echo "OK"
+done
+
 exit $failed
 # Local Variables:
 #  mode:shell-script