AuroraMiddleware/glibc
1
0
Fork 0
mirror of https://sourceware.org/git/glibc.git synced 2024-09-19 16:10:01 +00:00
Code Issues Packages Projects Releases Wiki Activity

CVE-2014-6040: Crashes on invalid input in IBM gconv modules [BZ #17325]

Browse Source 
These changes are based on the fix for BZ #14134 in commit
6e230d1183.
This commit is contained in:
Florian Weimer 2014-09-03 19:45:43 +02:00
parent a78b712d40
commit 41488498b6
11 changed files with 54 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
ChangeLog
View File

@ -1,3 +1,20 @@
2014-09-03 Florian Weimer <fweimer@redhat.com>
[BZ #17325]
* iconvdata/ibm1364.c (BODY): Fix check for sentinel.
* iconvdata/ibm932.c (BODY): Replace invalid sentinel check with
assert.
* iconvdata/ibm933.c (BODY): Fix check for sentinel.
* iconvdata/ibm935.c (BODY): Likewise.
* iconvdata/ibm937.c (BODY): Likewise.
* iconvdata/ibm939.c (BODY): Likewise.
* iconvdata/ibm943.c (BODY): Replace invalid sentinel check with
assert.
* iconvdata/Makefile (iconv-test.out): Pass module list to test
script.
* iconvdata/run-iconv-test.sh: New test loop for checking for
decoder crashers.
2014-09-02 Khem Raj <raj.khem@gmail.com> 2014-09-02 Khem Raj <raj.khem@gmail.com>
* sysdeps/powerpc/powerpc32/e500/nofpu/fegetenv.c (fegetenv): Add * sysdeps/powerpc/powerpc32/e500/nofpu/fegetenv.c (fegetenv): Add

7
NEWS
View File

@ -23,7 +23,7 @@ Version 2.20
16966, 16967, 16977, 16978, 16984, 16990, 16996, 17009, 17022, 17031, 16966, 16967, 16977, 16978, 16984, 16990, 16996, 17009, 17022, 17031,
17042, 17048, 17050, 17058, 17061, 17062, 17069, 17075, 17078, 17079, 17042, 17048, 17050, 17058, 17061, 17062, 17069, 17075, 17078, 17079,
17084, 17086, 17088, 17092, 17097, 17125, 17135, 17137, 17150, 17153, 17084, 17086, 17088, 17092, 17097, 17125, 17135, 17137, 17150, 17153,
17187, 17213, 17259, 17261, 17262, 17263, 17319. 17187, 17213, 17259, 17261, 17262, 17263, 17319, 17325.
* Reverted change of ABI data structures for s390 and s390x: * Reverted change of ABI data structures for s390 and s390x:
On s390 and s390x the size of struct ucontext and jmp_buf was increased in On s390 and s390x the size of struct ucontext and jmp_buf was increased in
@ -115,6 +115,11 @@ Version 2.20
normal gconv conversion modules are still supported. Transliteration normal gconv conversion modules are still supported. Transliteration
with //TRANSLIT is still possible, and the //IGNORE specifier with //TRANSLIT is still possible, and the //IGNORE specifier
continues to be supported. (CVE-2014-5119) continues to be supported. (CVE-2014-5119)
* Decoding a crafted input sequence in the character sets IBM933, IBM935,
IBM937, IBM939, IBM1364 could result in an out-of-bounds array read,
resulting a denial-of-service security vulnerability in applications which
use functions related to iconv. (CVE-2014-6040)
Version 2.19 Version 2.19

1
iconvdata/Makefile
View File

@ -297,6 +297,7 @@ $(objpfx)tst-iconv7.out: $(objpfx)gconv-modules \
$(objpfx)iconv-test.out: run-iconv-test.sh $(objpfx)gconv-modules \ $(objpfx)iconv-test.out: run-iconv-test.sh $(objpfx)gconv-modules \
$(addprefix $(objpfx),$(modules.so)) \ $(addprefix $(objpfx),$(modules.so)) \
$(common-objdir)/iconv/iconv_prog TESTS $(common-objdir)/iconv/iconv_prog TESTS
iconv_modules="$(modules)" \
$(SHELL) $< $(common-objdir) '$(test-wrapper-env)' \ $(SHELL) $< $(common-objdir) '$(test-wrapper-env)' \
'$(run-program-env)' > $@; \ '$(run-program-env)' > $@; \
$(evaluate-test) $(evaluate-test)

3
iconvdata/ibm1364.c
View File

@ -221,7 +221,8 @@ enum
++rp2; \ ++rp2; \
\ \
uint32_t res; \ uint32_t res; \
if (__builtin_expect (ch < rp2->start, 0) \ if (__builtin_expect (rp2->start == 0xffff, 0) \
|| __builtin_expect (ch < rp2->start, 0) \
|| (res = DB_TO_UCS4[ch + rp2->idx], \ || (res = DB_TO_UCS4[ch + rp2->idx], \
__builtin_expect (res, L'\1') == L'\0' && ch != '\0')) \ __builtin_expect (res, L'\1') == L'\0' && ch != '\0')) \
{ \ { \

5
iconvdata/ibm932.c
View File

@ -74,11 +74,12 @@
} \ } \
\ \
ch = (ch * 0x100) + inptr[1]; \ ch = (ch * 0x100) + inptr[1]; \
/* ch was less than 0xfd. */ \
assert (ch < 0xfd00); \
while (ch > rp2->end) \ while (ch > rp2->end) \
++rp2; \ ++rp2; \
\ \
if (__builtin_expect (rp2 == NULL, 0) \ if (__builtin_expect (ch < rp2->start, 0) \
|| __builtin_expect (ch < rp2->start, 0) \
|| (res = __ibm932db_to_ucs4[ch + rp2->idx], \ || (res = __ibm932db_to_ucs4[ch + rp2->idx], \
__builtin_expect (res, '\1') == 0 && ch !=0)) \ __builtin_expect (res, '\1') == 0 && ch !=0)) \
{ \ { \

2
iconvdata/ibm933.c
View File

@ -162,7 +162,7 @@ enum
while (ch > rp2->end) \ while (ch > rp2->end) \
++rp2; \ ++rp2; \
\ \
if (__builtin_expect (rp2 == NULL, 0) \ if (__builtin_expect (rp2->start == 0xffff, 0) \
|| __builtin_expect (ch < rp2->start, 0) \ || __builtin_expect (ch < rp2->start, 0) \
|| (res = __ibm933db_to_ucs4[ch + rp2->idx], \ || (res = __ibm933db_to_ucs4[ch + rp2->idx], \
__builtin_expect (res, L'\1') == L'\0' && ch != '\0')) \ __builtin_expect (res, L'\1') == L'\0' && ch != '\0')) \

2
iconvdata/ibm935.c
View File

@ -162,7 +162,7 @@ enum
while (ch > rp2->end) \ while (ch > rp2->end) \
++rp2; \ ++rp2; \
\ \
if (__builtin_expect (rp2 == NULL, 0) \ if (__builtin_expect (rp2->start == 0xffff, 0) \
|| __builtin_expect (ch < rp2->start, 0) \ || __builtin_expect (ch < rp2->start, 0) \
|| (res = __ibm935db_to_ucs4[ch + rp2->idx], \ || (res = __ibm935db_to_ucs4[ch + rp2->idx], \
__builtin_expect (res, L'\1') == L'\0' && ch != '\0')) \ __builtin_expect (res, L'\1') == L'\0' && ch != '\0')) \

2
iconvdata/ibm937.c
View File

@ -162,7 +162,7 @@ enum
while (ch > rp2->end) \ while (ch > rp2->end) \
++rp2; \ ++rp2; \
\ \
if (__builtin_expect (rp2 == NULL, 0) \ if (__builtin_expect (rp2->start == 0xffff, 0) \
|| __builtin_expect (ch < rp2->start, 0) \ || __builtin_expect (ch < rp2->start, 0) \
|| (res = __ibm937db_to_ucs4[ch + rp2->idx], \ || (res = __ibm937db_to_ucs4[ch + rp2->idx], \
__builtin_expect (res, L'\1') == L'\0' && ch != '\0')) \ __builtin_expect (res, L'\1') == L'\0' && ch != '\0')) \

2
iconvdata/ibm939.c
View File

@ -162,7 +162,7 @@ enum
while (ch > rp2->end) \ while (ch > rp2->end) \
++rp2; \ ++rp2; \
\ \
if (__builtin_expect (rp2 == NULL, 0) \ if (__builtin_expect (rp2->start == 0xffff, 0) \
|| __builtin_expect (ch < rp2->start, 0) \ || __builtin_expect (ch < rp2->start, 0) \
|| (res = __ibm939db_to_ucs4[ch + rp2->idx], \ || (res = __ibm939db_to_ucs4[ch + rp2->idx], \
__builtin_expect (res, L'\1') == L'\0' && ch != '\0')) \ __builtin_expect (res, L'\1') == L'\0' && ch != '\0')) \

5
iconvdata/ibm943.c
View File

@ -75,11 +75,12 @@
} \ } \
\ \
ch = (ch * 0x100) + inptr[1]; \ ch = (ch * 0x100) + inptr[1]; \
/* ch was less than 0xfd. */ \
assert (ch < 0xfd00); \
while (ch > rp2->end) \ while (ch > rp2->end) \
++rp2; \ ++rp2; \
\ \
if (__builtin_expect (rp2 == NULL, 0) \ if (__builtin_expect (ch < rp2->start, 0) \
|| __builtin_expect (ch < rp2->start, 0) \
|| (res = __ibm943db_to_ucs4[ch + rp2->idx], \ || (res = __ibm943db_to_ucs4[ch + rp2->idx], \
__builtin_expect (res, '\1') == 0 && ch !=0)) \ __builtin_expect (res, '\1') == 0 && ch !=0)) \
{ \ { \

18
iconvdata/run-iconv-test.sh
View File

@ -184,6 +184,24 @@ while read utf8 from filename; do
done < TESTS2 done < TESTS2
# Check for crashes in decoders.
printf '\016\377\377\377\377\377\377\377' > $temp1
for from in $iconv_modules ; do
echo $ac_n "test decoder $from $ac_c"
PROG=`eval echo $ICONV`
if $PROG < $temp1 >/dev/null 2>&1 ; then
: # fall through
else
status=$?
if test $status -gt 1 ; then
echo "/FAILED"
failed=1
continue
fi
fi
echo "OK"
done
exit $failed exit $failed
# Local Variables: # Local Variables:
# mode:shell-script # mode:shell-script