From ee7a3144c9922808181009b7b3e50e852fb4999b Mon Sep 17 00:00:00 2001
From: Andreas Schwab <schwab@suse.de>
Date: Mon, 21 Dec 2020 08:56:43 +0530
Subject: Fix buffer overrun in EUC-KR conversion module (bz #24973)

The byte 0xfe as input to the EUC-KR conversion denotes a user-defined
area and is not allowed.  The from_euc_kr function used to skip two bytes
when told to skip over the unknown designation, potentially running over
the buffer end.
---
 iconvdata/euc-kr.c | 6 +-----
 1 file changed, 1 insertion(+), 5 deletions(-)

(limited to 'iconvdata/euc-kr.c')

diff --git a/iconvdata/euc-kr.c b/iconvdata/euc-kr.c
index b0d56cf3ee..1045bae926 100644
--- a/iconvdata/euc-kr.c
+++ b/iconvdata/euc-kr.c
@@ -80,11 +80,7 @@ euckr_from_ucs4 (uint32_t ch, unsigned char *cp)
 									      \
     if (ch <= 0x9f)							      \
       ++inptr;								      \
-    /* 0xfe(->0x7e : row 94) and 0xc9(->0x59 : row 41) are		      \
-       user-defined areas.  */						      \
-    else if (__builtin_expect (ch == 0xa0, 0)				      \
-	     || __builtin_expect (ch > 0xfe, 0)				      \
-	     || __builtin_expect (ch == 0xc9, 0))			      \
+    else if (__glibc_unlikely (ch == 0xa0))				      \
       {									      \
 	/* This is illegal.  */						      \
 	STANDARD_FROM_LOOP_ERR_HANDLER (1);				      \
-- 
cgit 1.4.1