diff options
author | Szabolcs Nagy <szabolcs.nagy@arm.com> | 2022-09-26 15:38:19 +0100 |
---|---|---|
committer | Szabolcs Nagy <szabolcs.nagy@arm.com> | 2022-11-22 14:24:26 +0000 |
commit | 44d649d3c4051391782d8c893004dd7efec2ce70 (patch) | |
tree | 8d2ae29d6299b7baa81c8905e4bbafe3ba10eb48 /iconv | |
parent | 4054cc2093279d68092104b3f8c059b81cceb776 (diff) | |
download | glibc-44d649d3c4051391782d8c893004dd7efec2ce70.tar.gz glibc-44d649d3c4051391782d8c893004dd7efec2ce70.tar.xz glibc-44d649d3c4051391782d8c893004dd7efec2ce70.zip |
Fix off-by-one OOB write in iconv/tst-iconv-mt
The iconv buffer sizes must not include the \0 string terminator. When \0 cannot be part of a valid character encoding glibc iconv would copy it to the output as expected, but then later the explicit output termination with *outbufpos = '\0' is out of bounds.
Diffstat (limited to 'iconv')
-rw-r--r-- | iconv/tst-iconv-mt.c | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/iconv/tst-iconv-mt.c b/iconv/tst-iconv-mt.c index daaebd273b..0320885c06 100644 --- a/iconv/tst-iconv-mt.c +++ b/iconv/tst-iconv-mt.c @@ -58,11 +58,11 @@ worker (void * arg) char ascii[] = CONV_INPUT; char *inbufpos = ascii; - size_t inbytesleft = sizeof (CONV_INPUT); + size_t inbytesleft = sizeof (CONV_INPUT) - 1; char *utf8 = xcalloc (sizeof (CONV_INPUT), 1); char *outbufpos = utf8; - size_t outbytesleft = sizeof (CONV_INPUT); + size_t outbytesleft = sizeof (CONV_INPUT) - 1; if (tidx < TCOUNT/2) /* The first half of the worker thread pool synchronize together here, |