From dd9ec10913da97c0a5b64f5fd9ac195a61ef13b1 Mon Sep 17 00:00:00 2001 From: Szabolcs Nagy Date: Mon, 26 Sep 2022 15:38:19 +0100 Subject: [PATCH] Fix off-by-one OOB write in iconv/tst-iconv-mt The iconv buffer sizes must not include the \0 string terminator. When \0 cannot be part of a valid character encoding glibc iconv would copy it to the output as expected, but then later the explicit output termination with *outbufpos = '\0' is out of bounds. --- iconv/tst-iconv-mt.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/iconv/tst-iconv-mt.c b/iconv/tst-iconv-mt.c index daaebd273bb..0320885c069 100644 --- a/iconv/tst-iconv-mt.c +++ b/iconv/tst-iconv-mt.c @@ -58,11 +58,11 @@ worker (void * arg) char ascii[] = CONV_INPUT; char *inbufpos = ascii; - size_t inbytesleft = sizeof (CONV_INPUT); + size_t inbytesleft = sizeof (CONV_INPUT) - 1; char *utf8 = xcalloc (sizeof (CONV_INPUT), 1); char *outbufpos = utf8; - size_t outbytesleft = sizeof (CONV_INPUT); + size_t outbytesleft = sizeof (CONV_INPUT) - 1; if (tidx < TCOUNT/2) /* The first half of the worker thread pool synchronize together here, -- 2.47.2