mirror of
https://sourceware.org/git/glibc.git
synced 2024-12-22 10:50:07 +00:00
CVE-2014-6040: Crashes on invalid input in IBM gconv modules [BZ #17325]
These changes are based on the fix for BZ #14134 in commit
6e230d1183
.
This commit is contained in:
parent
a78b712d40
commit
41488498b6
17
ChangeLog
17
ChangeLog
@ -1,3 +1,20 @@
|
||||
2014-09-03 Florian Weimer <fweimer@redhat.com>
|
||||
|
||||
[BZ #17325]
|
||||
* iconvdata/ibm1364.c (BODY): Fix check for sentinel.
|
||||
* iconvdata/ibm932.c (BODY): Replace invalid sentinel check with
|
||||
assert.
|
||||
* iconvdata/ibm933.c (BODY): Fix check for sentinel.
|
||||
* iconvdata/ibm935.c (BODY): Likewise.
|
||||
* iconvdata/ibm937.c (BODY): Likewise.
|
||||
* iconvdata/ibm939.c (BODY): Likewise.
|
||||
* iconvdata/ibm943.c (BODY): Replace invalid sentinel check with
|
||||
assert.
|
||||
* iconvdata/Makefile (iconv-test.out): Pass module list to test
|
||||
script.
|
||||
* iconvdata/run-iconv-test.sh: New test loop for checking for
|
||||
decoder crashers.
|
||||
|
||||
2014-09-02 Khem Raj <raj.khem@gmail.com>
|
||||
|
||||
* sysdeps/powerpc/powerpc32/e500/nofpu/fegetenv.c (fegetenv): Add
|
||||
|
7
NEWS
7
NEWS
@ -23,7 +23,7 @@ Version 2.20
|
||||
16966, 16967, 16977, 16978, 16984, 16990, 16996, 17009, 17022, 17031,
|
||||
17042, 17048, 17050, 17058, 17061, 17062, 17069, 17075, 17078, 17079,
|
||||
17084, 17086, 17088, 17092, 17097, 17125, 17135, 17137, 17150, 17153,
|
||||
17187, 17213, 17259, 17261, 17262, 17263, 17319.
|
||||
17187, 17213, 17259, 17261, 17262, 17263, 17319, 17325.
|
||||
|
||||
* Reverted change of ABI data structures for s390 and s390x:
|
||||
On s390 and s390x the size of struct ucontext and jmp_buf was increased in
|
||||
@ -115,6 +115,11 @@ Version 2.20
|
||||
normal gconv conversion modules are still supported. Transliteration
|
||||
with //TRANSLIT is still possible, and the //IGNORE specifier
|
||||
continues to be supported. (CVE-2014-5119)
|
||||
|
||||
* Decoding a crafted input sequence in the character sets IBM933, IBM935,
|
||||
IBM937, IBM939, IBM1364 could result in an out-of-bounds array read,
|
||||
resulting a denial-of-service security vulnerability in applications which
|
||||
use functions related to iconv. (CVE-2014-6040)
|
||||
|
||||
Version 2.19
|
||||
|
||||
|
@ -297,6 +297,7 @@ $(objpfx)tst-iconv7.out: $(objpfx)gconv-modules \
|
||||
$(objpfx)iconv-test.out: run-iconv-test.sh $(objpfx)gconv-modules \
|
||||
$(addprefix $(objpfx),$(modules.so)) \
|
||||
$(common-objdir)/iconv/iconv_prog TESTS
|
||||
iconv_modules="$(modules)" \
|
||||
$(SHELL) $< $(common-objdir) '$(test-wrapper-env)' \
|
||||
'$(run-program-env)' > $@; \
|
||||
$(evaluate-test)
|
||||
|
@ -221,7 +221,8 @@ enum
|
||||
++rp2; \
|
||||
\
|
||||
uint32_t res; \
|
||||
if (__builtin_expect (ch < rp2->start, 0) \
|
||||
if (__builtin_expect (rp2->start == 0xffff, 0) \
|
||||
|| __builtin_expect (ch < rp2->start, 0) \
|
||||
|| (res = DB_TO_UCS4[ch + rp2->idx], \
|
||||
__builtin_expect (res, L'\1') == L'\0' && ch != '\0')) \
|
||||
{ \
|
||||
|
@ -74,11 +74,12 @@
|
||||
} \
|
||||
\
|
||||
ch = (ch * 0x100) + inptr[1]; \
|
||||
/* ch was less than 0xfd. */ \
|
||||
assert (ch < 0xfd00); \
|
||||
while (ch > rp2->end) \
|
||||
++rp2; \
|
||||
\
|
||||
if (__builtin_expect (rp2 == NULL, 0) \
|
||||
|| __builtin_expect (ch < rp2->start, 0) \
|
||||
if (__builtin_expect (ch < rp2->start, 0) \
|
||||
|| (res = __ibm932db_to_ucs4[ch + rp2->idx], \
|
||||
__builtin_expect (res, '\1') == 0 && ch !=0)) \
|
||||
{ \
|
||||
|
@ -162,7 +162,7 @@ enum
|
||||
while (ch > rp2->end) \
|
||||
++rp2; \
|
||||
\
|
||||
if (__builtin_expect (rp2 == NULL, 0) \
|
||||
if (__builtin_expect (rp2->start == 0xffff, 0) \
|
||||
|| __builtin_expect (ch < rp2->start, 0) \
|
||||
|| (res = __ibm933db_to_ucs4[ch + rp2->idx], \
|
||||
__builtin_expect (res, L'\1') == L'\0' && ch != '\0')) \
|
||||
|
@ -162,7 +162,7 @@ enum
|
||||
while (ch > rp2->end) \
|
||||
++rp2; \
|
||||
\
|
||||
if (__builtin_expect (rp2 == NULL, 0) \
|
||||
if (__builtin_expect (rp2->start == 0xffff, 0) \
|
||||
|| __builtin_expect (ch < rp2->start, 0) \
|
||||
|| (res = __ibm935db_to_ucs4[ch + rp2->idx], \
|
||||
__builtin_expect (res, L'\1') == L'\0' && ch != '\0')) \
|
||||
|
@ -162,7 +162,7 @@ enum
|
||||
while (ch > rp2->end) \
|
||||
++rp2; \
|
||||
\
|
||||
if (__builtin_expect (rp2 == NULL, 0) \
|
||||
if (__builtin_expect (rp2->start == 0xffff, 0) \
|
||||
|| __builtin_expect (ch < rp2->start, 0) \
|
||||
|| (res = __ibm937db_to_ucs4[ch + rp2->idx], \
|
||||
__builtin_expect (res, L'\1') == L'\0' && ch != '\0')) \
|
||||
|
@ -162,7 +162,7 @@ enum
|
||||
while (ch > rp2->end) \
|
||||
++rp2; \
|
||||
\
|
||||
if (__builtin_expect (rp2 == NULL, 0) \
|
||||
if (__builtin_expect (rp2->start == 0xffff, 0) \
|
||||
|| __builtin_expect (ch < rp2->start, 0) \
|
||||
|| (res = __ibm939db_to_ucs4[ch + rp2->idx], \
|
||||
__builtin_expect (res, L'\1') == L'\0' && ch != '\0')) \
|
||||
|
@ -75,11 +75,12 @@
|
||||
} \
|
||||
\
|
||||
ch = (ch * 0x100) + inptr[1]; \
|
||||
/* ch was less than 0xfd. */ \
|
||||
assert (ch < 0xfd00); \
|
||||
while (ch > rp2->end) \
|
||||
++rp2; \
|
||||
\
|
||||
if (__builtin_expect (rp2 == NULL, 0) \
|
||||
|| __builtin_expect (ch < rp2->start, 0) \
|
||||
if (__builtin_expect (ch < rp2->start, 0) \
|
||||
|| (res = __ibm943db_to_ucs4[ch + rp2->idx], \
|
||||
__builtin_expect (res, '\1') == 0 && ch !=0)) \
|
||||
{ \
|
||||
|
@ -184,6 +184,24 @@ while read utf8 from filename; do
|
||||
|
||||
done < TESTS2
|
||||
|
||||
# Check for crashes in decoders.
|
||||
printf '\016\377\377\377\377\377\377\377' > $temp1
|
||||
for from in $iconv_modules ; do
|
||||
echo $ac_n "test decoder $from $ac_c"
|
||||
PROG=`eval echo $ICONV`
|
||||
if $PROG < $temp1 >/dev/null 2>&1 ; then
|
||||
: # fall through
|
||||
else
|
||||
status=$?
|
||||
if test $status -gt 1 ; then
|
||||
echo "/FAILED"
|
||||
failed=1
|
||||
continue
|
||||
fi
|
||||
fi
|
||||
echo "OK"
|
||||
done
|
||||
|
||||
exit $failed
|
||||
# Local Variables:
|
||||
# mode:shell-script
|
||||
|
Loading…
Reference in New Issue
Block a user